Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1391
Views
0
Helpful
3
Replies

Cisco IOS firewall

allitnils
Level 1
Level 1

‎02-26-2013 06:38 PM - edited ‎03-07-2019 11:57 AM

hi all,

I'm currently in the midst of obtaining my CCNA, so please excuse the seemingly ignorant questions/descriptions.

We purchased a cisco 1921 router to replace a software firwall not long ago.

The router was sold as a firewall with the suggestion that an ASA would be unnecessary.

Unfortunately a router does not replace/do the jobs a firewall does, so I looked online and noticed that Cisco do offer firweall security features in one of their IOS.

How do I tell if this is implemented on my router?

If not, does my IOS support this, or do I need to buy an extension/another version of the IOS?


The version of the IOS I have is: c1900-universalk9-mz.SPA.151-4.M4.bin

Without posting the whole running config, these are some of the configurations:

Current configuration : 8364 bytes

!

! Last configuration change at 04:17:05 UTC Thu Feb 21 2013 by mmenga

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname vicst-srcenter

!

boot-start-marker

boot system flash c1900-universalk9-mz.SPA.151-4.M4.bin

boot-end-marker

!

!

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication ppp default group radius local

aaa authorization network default if-authenticated

!

aaa session-id common

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

!

ip flow-cache timeout active 1

!

!

multilink bundle-name authenticated

!

async-bootp dns-server xxx.xxx.xxx.xxx

async-bootp nbns-server xxx.xxx.xxx.xxx

vpdn enable

!

!

vpdn-group PPTP_WIN2KClient

! Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

l2tp tunnel timeout no-session 15

!

crypto pki token default removal timeout 0

!

!

license udi pid CISCO1921/K9 sn FGL123456CA

!

username name privilege 15 password 7 xxx

!

interface GigabitEthernet0/0

description WAN

ip address xxx.xxx.xxx.xxx x.x.x.x

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description LAN

ip address

xxx.xxx.xxx.xxx x.x.x.x

ip flow ingress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1

description PPTP_VPN

ip unnumbered GigabitEthernet0/0

no ip redirects

ip nat inside

ip virtual-reassembly in

ip verify unicast reverse-path

peer default ip address pool DIAL-IN

compress mppc

ppp encrypt mppe auto passive

ppp authentication ms-chap ms-chap-v2

!

.....

then there's a whole bunch of extended/standard access lists, some configuration for line vty and console, and

!

scheduler allocate 20000 1000

end


Labels:
0 Helpful
3 Replies 3

allitnils
Level 1
Level 1

‎02-26-2013 06:57 PM

. from what I have read, I need

CISCO1921-SEC/K9

And I have

CISCO1921/K9

so would this imply we don't have the IOS firewall licenses implemented?

.. I just had a look at show ver and it looks like this:

License Info:

License UDI:

-------------------------------------------------

Device#   PID                   SN

-------------------------------------------------

*0        CISCO1921/K9          FGL164526CA

Technology Package License Information for Module:'c1900'

-----------------------------------------------------------------

Technology    Technology-package           Technology-package

              Current       Type           Next reboot

------------------------------------------------------------------

ipbase        ipbasek9      Permanent      ipbasek9

security      securityk9    Permanent      securityk9

data          None          None           None

Configuration register is 0x2102

so it's looking promising..?

0 Helpful

tobyarnett
Level 1
Level 1

‎02-26-2013 07:56 PM

Ivan,

I don't know that I would suggest a router over a firewall, but if your going to do that you really should put some acls on your WAN interface. What features are you wanting in this IOS?

Toby


Sent from Cisco Technical Support Android App

-Toby


Please don't forget to rate any helpful post.

_____________________________________
There are no great limits to growth because there are no limits of human intelligence, imagination, and wonder.
- Ronald Reagan
0 Helpful

allitnils
Level 1
Level 1
In response to tobyarnett

‎02-26-2013 08:04 PM

hi Toby, thanks for your reply..

Are there particulars as to why you'd choose a firewall over a router? (I'm sure this would open a whole other controversial discussion, but anything brief will do....)

The router is doing NATting, but what in particular should I be looking for in terms of ACLs on WAN interface?

We have a number of acls in place, for example permitting various IPs from coming in, as well as various for IPs going out.. Which might not exactly be necessary and could be legacy settings from our old firewall....

But as far as I can tell, aside from a bunch of NAT rules, we only have one external ACL..

But these aren't exactly firewall features as such, and ACLs and NAT settings are things that can be done on a base IOS, right?

What other features does the security bundle offer that we could implement?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card