Cisco IOS Firewall
This is about configuring firewall on Cisco IOS - not ASA. Base line router here is Cisco 1941/K9 platform with following softwre vesion: (C1900-UNIVERSALK9-M), Version 15.2(4)M4, RELEASE SOFTWARE (fc2).
License
Cisco1941/K9 arrives with universal image but CBAC and firewall features require securityk9 feature to be enabled to make it work.
Enable security9 feature
show license feature
Feature name Enforcement Evaluation Subscription Enabled RightToUse
ipbasek9 no no no yes no
securityk9 yes yes no no yes
datak9 yes yes no no yes
SSL_VPN yes yes no no yes
ios-ips-update yes yes yes no yes
hseck9 yes no no no no
WAAS_Express yes yes no no yes
r1(config)#license boot module c1900 technology-package securityk9
Then write
configuration and reload the router.
- Verify the license features.
show license feature
Feature name Enforcement Evaluation Subscription Enabled RightToUse
ipbasek9 no no no yes no
securityk9 yes yes no yes yes
datak9 yes yes no no yes
SSL_VPN yes yes no no yes
ios-ips-update yes yes yes no yes
hseck9 yes no no no no
WAAS_Express yes yes no no yes
show license detail securityk9 Feature: securityk9 Period left: 8 weeks 3 days Index: 1 Feature: securityk9 Version: 1.0 License Type: EvalRightToUse License State: Active, In Use Evaluation total period: 8 weeks 4 days Evaluation period left: 8 weeks 3 days Period used: 10 minutes 48 seconds Transition date: Feb 06 2014 11:34:49 License Count: Non-Counted License Priority: Low Store Index: 0 Store Name: Built-In License Storage
After reboot you will see during booting sequence:
Installed image archive Cisco CISCO1941/K9 (revision 1.0) with 487424K/36864K bytes of memory. Processor board ID ********** 6 Gigabit Ethernet interfaces 3 terminal lines 1 Virtual Private Network (VPN) Module 2 Cellular interfaces
Disable security9 feature
r1(config)#license boot module c1900 technology-package securityk9 disable
Then write
configuration and reload the router. Verify the license features using show commands from the previous point.
CBAC - BAC - Context Based Access Control
WIP....
license boot module c1900 technology-package securityk9 ip inspect name REMEMBER tcp ip inspect name REMEMBER udp ip inspect name REMEMBER icmp ip access-list extended INTERNET-IN permit udp any eq domain any deny ip any any log interface GigabitEthernet0/0 ip address dhcp ip access-group INTERNET-IN in ip nat enable ip inspect REMEMBER out duplex auto speed auto