02-26-2013 06:38 PM - edited 03-07-2019 11:57 AM
hi all,
I'm currently in the midst of obtaining my CCNA, so please excuse the seemingly ignorant questions/descriptions.
We purchased a cisco 1921 router to replace a software firwall not long ago.
The router was sold as a firewall with the suggestion that an ASA would be unnecessary.
Unfortunately a router does not replace/do the jobs a firewall does, so I looked online and noticed that Cisco do offer firweall security features in one of their IOS.
How do I tell if this is implemented on my router?
If not, does my IOS support this, or do I need to buy an extension/another version of the IOS?
The version of the IOS I have is: c1900-universalk9-mz.SPA.151-4.M4.bin
Without posting the whole running config, these are some of the configurations:
Current configuration : 8364 bytes
!
! Last configuration change at 04:17:05 UTC Thu Feb 21 2013 by mmenga
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname vicst-srcenter
!
boot-start-marker
boot system flash c1900-universalk9-mz.SPA.151-4.M4.bin
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default group radius local
aaa authorization network default if-authenticated
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip flow-cache timeout active 1
!
!
multilink bundle-name authenticated
!
async-bootp dns-server xxx.xxx.xxx.xxx
async-bootp nbns-server xxx.xxx.xxx.xxx
vpdn enable
!
!
vpdn-group PPTP_WIN2KClient
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn FGL123456CA
!
username name privilege 15 password 7 xxx
!
interface GigabitEthernet0/0
description WAN
ip address xxx.xxx.xxx.xxx x.x.x.x
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address
xxx.xxx.xxx.xxx x.x.x.x
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Virtual-Template1
description PPTP_VPN
ip unnumbered GigabitEthernet0/0
no ip redirects
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
peer default ip address pool DIAL-IN
compress mppc
ppp encrypt mppe auto passive
ppp authentication ms-chap ms-chap-v2
!
.....
then there's a whole bunch of extended/standard access lists, some configuration for line vty and console, and
!
scheduler allocate 20000 1000
end
02-26-2013 06:57 PM
. from what I have read, I need
CISCO1921-SEC/K9
And I have
CISCO1921/K9
so would this imply we don't have the IOS firewall licenses implemented?
.. I just had a look at show ver and it looks like this:
License Info:
License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1921/K9 FGL164526CA
Technology Package License Information for Module:'c1900'
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
data None None None
Configuration register is 0x2102
so it's looking promising..?
02-26-2013 07:56 PM
Ivan,
I don't know that I would suggest a router over a firewall, but if your going to do that you really should put some acls on your WAN interface. What features are you wanting in this IOS?
Toby
Sent from Cisco Technical Support Android App
02-26-2013 08:04 PM
hi Toby, thanks for your reply..
Are there particulars as to why you'd choose a firewall over a router? (I'm sure this would open a whole other controversial discussion, but anything brief will do....)
The router is doing NATting, but what in particular should I be looking for in terms of ACLs on WAN interface?
We have a number of acls in place, for example permitting various IPs from coming in, as well as various for IPs going out.. Which might not exactly be necessary and could be legacy settings from our old firewall....
But as far as I can tell, aside from a bunch of NAT rules, we only have one external ACL..
But these aren't exactly firewall features as such, and ACLs and NAT settings are things that can be done on a base IOS, right?
What other features does the security bundle offer that we could implement?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide