Difference between revisions of "Cisco IOS Firewall"

From Ever changing code
Jump to navigation Jump to search
(Created page with "This is about configuring firewall on Cisco IOS - not ASA. Base line router here is Cisco 1941/K9 platform with following softwre vesion: (C1900-UNIVERSALK9-M), Version 15.2(4...")
 
 
(5 intermediate revisions by the same user not shown)
Line 15: Line 15:


  r1(config)#license boot module c1900 technology-package securityk9
  r1(config)#license boot module c1900 technology-package securityk9
Then <code>write</code> configuration and reload the router. Verify the license features.  
Then <code>write</code> configuration and reload the router.
;Verify the license features.  
  '''show license feature'''
  '''show license feature'''
  Feature name            Enforcement  Evaluation  Subscription  Enabled  RightToUse
  Feature name            Enforcement  Evaluation  Subscription  Enabled  RightToUse
Line 39: Line 40:
         Store Index: 0
         Store Index: 0
         Store Name: Built-In License Storage
         Store Name: Built-In License Storage
After reboot you will see during booting sequence:
Installed image archive
Cisco CISCO1941/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor board ID **********
6 Gigabit Ethernet interfaces
3 terminal lines
1 Virtual Private Network (VPN) Module
2 Cellular interfaces
== Disable security9 feature ==
== Disable security9 feature ==
  r1(config)#<span style="color: red">no</span> license boot module c1900 technology-package securityk9
  r1(config)#license boot module c1900 technology-package securityk9 <span style="color: red">disable</span>
Then <code>write</code> configuration and reload the router. Verify the license features using show commands from the previous point.
Then <code>write</code> configuration and reload the router. Verify the license features using show commands from the [[Cisco_IOS_Firewall#Enable_security9_feature | previous point]].


= CBAC - BAC - Context Based Access Control =
= CBAC - BAC - Context Based Access Control =
CBAC
WIP....
license boot module c1900 technology-package securityk9
ip inspect name REMEMBER tcp
ip inspect name REMEMBER udp
ip inspect name REMEMBER icmp
ip access-list extended INTERNET-IN
  permit udp any eq domain any
  deny  ip any any log
interface GigabitEthernet0/0
  ip address dhcp
  ip access-group INTERNET-IN in
  ip nat enable
  ip inspect REMEMBER out
  duplex auto
  speed auto
= References =
*[http://packetlife.net/blog/2011/apr/21/applying-cbac-inspection-local-traffic/ Applying CBAC Inspection to Local Traffic]

Latest revision as of 01:18, 11 December 2013

This is about configuring firewall on Cisco IOS - not ASA. Base line router here is Cisco 1941/K9 platform with following softwre vesion: (C1900-UNIVERSALK9-M), Version 15.2(4)M4, RELEASE SOFTWARE (fc2).

License

Cisco1941/K9 arrives with universal image but CBAC and firewall features require securityk9 feature to be enabled to make it work.

Enable security9 feature

show license feature
Feature name             Enforcement  Evaluation  Subscription   Enabled  RightToUse
ipbasek9                 no           no          no             yes      no
securityk9               yes          yes         no             no       yes
datak9                   yes          yes         no             no       yes
SSL_VPN                  yes          yes         no             no       yes
ios-ips-update           yes          yes         yes            no       yes
hseck9                   yes          no          no             no       no
WAAS_Express             yes          yes         no             no       yes

r1(config)#license boot module c1900 technology-package securityk9

Then write configuration and reload the router.

Verify the license features.
show license feature
Feature name             Enforcement  Evaluation  Subscription   Enabled  RightToUse
ipbasek9                 no           no          no             yes      no
securityk9               yes          yes         no             yes      yes
datak9                   yes          yes         no             no       yes
SSL_VPN                  yes          yes         no             no       yes
ios-ips-update           yes          yes         yes            no       yes
hseck9                   yes          no          no             no       no
WAAS_Express             yes          yes         no             no       yes

show license detail securityk9
Feature: securityk9                      Period left: 8  weeks 3  days
Index: 1        Feature: securityk9                        Version: 1.0
        License Type: EvalRightToUse
        License State: Active, In Use
            Evaluation total period: 8  weeks 4  days
            Evaluation period left: 8  weeks 3  days
            Period used: 10 minutes 48 seconds
            Transition date: Feb 06 2014 11:34:49
        License Count: Non-Counted
        License Priority: Low
        Store Index: 0
        Store Name: Built-In License Storage

After reboot you will see during booting sequence: 

Installed image archive
Cisco CISCO1941/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor board ID **********
6 Gigabit Ethernet interfaces
3 terminal lines
1 Virtual Private Network (VPN) Module
2 Cellular interfaces

Disable security9 feature

r1(config)#license boot module c1900 technology-package securityk9 disable

Then write configuration and reload the router. Verify the license features using show commands from the previous point.

CBAC - BAC - Context Based Access Control

WIP.... 

license boot module c1900 technology-package securityk9

ip inspect name REMEMBER tcp
ip inspect name REMEMBER udp
ip inspect name REMEMBER icmp


ip access-list extended INTERNET-IN
 permit udp any eq domain any
 deny   ip any any log

interface GigabitEthernet0/0
 ip address dhcp
 ip access-group INTERNET-IN in
 ip nat enable
 ip inspect REMEMBER out
 duplex auto
 speed auto

References

Retrieved from ‘http://wiki.ciscolinux.co.uk/index.php?title=Cisco_IOS_Firewall&oldid=759