802.1q with ISR IOS firewall
Hi
My basic query is whether a dot1q trunk carrying 2 VLANs (guest wireless and corporate LAN) can still be firewalled using the zone based firewall on an IOS firewall on a 1941 ISR.
Here's more background:
It's for a number of branch sites that will have the ISR as the site WAN router and perimeter firewall, corporate access will go via the WAN MPLS HWIC and internet access will go via an ADSL interface. The concern is the LAN side. Whilst the 1941 has 2 onboard LAN interfaces, the guest wireless is combined with corporate wireless so LAN access will need to be via a trunk link and so ultimately the two VLANs need to be separated via firewall rules.
I know that this wouldn't be an issue on the ASA but I'm not sure whether the zone based firewall on the router would be the same.
Does anyone know whether what I'm trying to acheive is possible on the ISR? I'll try and knock up a diagram and upload if that helps.
Thanks, Anish
Hello Anish,
It will not present any issue at all.
Remember that you split the router into zones, so even if you have more than one subnet or vlan behind an interface you can still apply the right security policies to the zone with no issues at all.
Any other question..Sure..Just remember to rate all of my answers.
Julio
Similar Messages
-
Codian MCU with IOS Firewall/NAT
Hi!
We have a router configured with the IOS firewall/IOS IPS and one-on-one NAT. Everything works OK, but one function...
When you start an H.323 session to the Codian MCU from the internet, a menu is presented that shows different conferences to join, you can type in via digits a conference number and it works fine, but if you try to take control of the camera at the main site and select an option, it does not work. Has anyone else experienced anything similar to this or have an idea of a fix?
Tandbergs on the inside are able to connect to the Codian with it's internal IP address OK.
Thanks!
BenI've seen i'ts an old post but I still have some comments.
the Codian MCU needs some commands to have the external system start or connect to a conference.
It misuses the "far end camera" option of the remote to do this.
With FECC enabled the VC system acceps commands from the remote control unit and passes them on to the far site wich here is the MCU. The MCU can accept this commands to connect to a conference.
But ofcourse the MCU itself has no camera to control!
So you cannot control a camera at "the main site".
What you describe to want, seems to be
when in a conference the MCU would resend the FECC commands to another participant in a multiconference
instead of itself responding to FECC commands?
That won't work.
Pieter
I -
NME-NAM with Cisco Prime 5.1.2 and IOS Firewall
Hello,
I have installed and configured the Cisco NME-NAM with Prime 5.1.2 and have access to the NAM via a web browser. It is not picking up any data even though I havew configured the following:
internal data source
network site 10.10.16.0/20
All reports show "No data for selected time interval"
I am running IOS 15.1 on a 2811 with IOS firewall enabled.
Do I need to create a FW rule to allow traffic to be monitored by the NME-NAM?
Thank you,
MatthewHi rajeeshp,
Currently I am not allowed to upgrade it because of internal procedures involved in upgrading a specific piece of software (obtaining permissions from various departments). Is it free to upgrade from 1.2 to 1.3 or there is a specific charge for that.
Predrag Petrovic -
802.1X with Guest vlan support IOS version ???
I don't know, Whitch IOS version support 802.1X with Guest vlan to Catalyst 2950 and 3550 switch
please reply to my question.Tkank for your help.
Also, Cisco web is explained , except for Catalyst 2950 Standard Image (SI) in IOS 12.1(22)EA3
but I can't understand, My site is using catalyst 2950 SI to 802.1X and guest vlan in IOS image 12.1(22)EA3
ex) TW_14F_A_C2950_32.8#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA3, RELEASE SOFTWARE (fc1)
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)
Model number: WS-C2950-24
please, reply for my question -
Interworking between WCCP and IOS firewall on ISR and ASR routers?
I ran into a problem last year when running WAAS WCCP and IOS firewall IP inspection on the same 3945 router. They couldn't function at the same time. Cisco indicated that router IOS firewall and WCCP were compatible only when IOS zone-based policy configuration was used. Back then I was using IOS 15.1(1)T1 on the 3945 router and WAAS was version 4.2.3.
I now have some sites with 2921, 3945, and ASR1002 routers that need to be both IOS firewall and WCCP for WAAS. Now with newer IOS releases, does the IOS firewall estill have to be zone-based policy configuration? Because classic classic IOS firewall is easier to configure for WAAS, just "ip inspection waas enable" command, I'd prefer the easier configuration.
What about ASR1002 router IOS firewall with WCCP? I have never implemented that before. I was trying to find some deployment examples or configuration guides from Cisco, but was not able to.
Thanks for any help.
GaryI'm assuming you placed service group 61 and 62 on the router LAN, WAN inbound directions. Did you apply inspection to LAN to WAN direction or WAN to LAN direction?
Did you also used WCCP and IOS firewall on ASR routers?
Thanks a lot -
IOS Firewall with EasyVPN - What ports need to be opened?
I can not establish a VPN connection from my VPN client while outside, but can from inside. I assume I need to open a port on my IOS firewall but I am not sure which one. I opened isakmp but that didn't help.
This is a 2801 with 12.4(15)t. Any Suggestions? The config is attached. Thanks!do the following change
interface Virtual-Template2 type tunnel
interface FastEthernet0/1
after u get connected u will have problem that the vpn client will get connceted and get IP from the pool but can not communicate with inside hosts!!!
becuase u need to exmpt the traffic going from inside network to vpn pool from nating
u can do it is in ur nating ACL make first line as deny source ur LAN destination vpn pool and i would suggest u to use ip addresing for u vpn pool diffrent that the LAN rnage to avoide any subneting issues
good luck
if helpful Rate -
3945 Router Issue between WAAS Module and IOS Firewall
I have a new 3945 router with a SM-SRE-900 module for WAAS. The 3945 also has IP inspection configured. When IP inspection and WCCP redirection running at the same time, user connections to data center were all lost. If just IP inspection or WCC Rredirection but not both, user connections were good.
I'm feeling the problem is IP inspection not WAAS aware. I tried "ip inpsect waas enable", but the command was not available. The 3945 router, SM-SRE module, and the IOS code, are all newest versions. So I was wondering if anyone has seen the similar issues and had experience of enabling WAAS through IP inspection on those new products.
Here is the configuration info:
3945 G2 ISR: IOS 15.1(1)T1;
SM-SRE-900: WAAS 4.2.3 build7;
3945 LAN interface: ip inspection in and ip wccp 61 redirect in
3945 WAN interface: ip wccp 62 redirect in
3945 SM 1/0 interface: internal connection to SM-SRE module
Between 3945 and SM-SRE module: WCCP GRE redirection and IP Forwarding return.
If you are aware of any 15.1(1)T1 bugs that may be related, please let me know too.
Thanks for any help.Hi,
This is in general for IOS / ISR. On CCO we have a very good document for ZBFW and WAAS intigration, see below
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew_ps10592_TSD_Products_Configuration_Guide_Chapter.html#wp1118498
If you still need to run CBAC, then recommended solution in my first post should work for you.
If the router is in the middle of TCP optamization path, then depending upon optamization product you need to configure the firewall feature like anyother firewall. for Cisco WAAS we have "ip inspect WAAS enable".
Hope this has answer your question. Thanks.
Ahsan Khan -
Need Assistance with Download iOS 6 to an iPhone 4. Error 9006
I am experiencing difficulty with downloading ios 6 software onto my iPhone 4. I keep getting error message that due to an unknown error "9006", the software was not downloaded to my iPhone. I have tried downloading via iTunes (I have latest version 10.7) and via software update on the iPhone, but have been unsuccessful so far. I have followed suggestions on the iPhone trouble shooting assistant. Nothing has worked for me. Any suggestions?
Errors related to third-party security software
Error 2, 4 (or -4), 6, 40, 1000, 9006
Follow Troubleshooting security software. Often, uninstalling third-party security software will resolve these errors.
There may be third-party software that modifies your default packet size in Windows by inserting a TcpWindowSize entry into your registry. Your default packet size being set incorrectly can cause these errors. Contact the manufacturer of the software that installed the packet size modification for assistance or follow this article by Microsoft: How to reset Internet Protocol (TCP/IP).
Verify that access to ports 80 and 443 are allowed on your network.
Verify that communication to albert.apple.com or photos.apple.com is not blocked by a firewall, or other Internet security setting.
Discard the .ipsw file, open iTunes and attempt to download the update again. See the steps underAdvanced Steps > Rename, move, or delete the iOS software file (.ipsw) below for file locations.
Restore your device while connected to a different network.
Restore using a different computer. -
802.1x with VLAN assignment on Catalyst 2950T-48-SI
I will really appreciate if you can confirm me if the C2950T-48-SI will support the following features.
- IEEE 802.1x with VLAN assignment
- SSHv2
- SNMPv3
The data sheet for the Cisco Catalyst 2950 Series Switches with Standard Image mentions all the above and more features for the 2950T-48-SI, but at the same time the power point presentation, (Cisco Catalyst 2950 Series Switches, and the tool Sofware advisor say that those features are only supported with the Enhanced Image.
If your those feature are supported by the Standard Image, would you please also inform the last IOS version supported.
Thanks a lot.SSH isn't available on the SI version of the 2950 as you require the Crypto features and these are not available for the SI (the documentation is a little vague here but trust me I have upgraded one and it doesn't like it...). The documentation says 'Switches that support only the SI cannot run the cryptographic image.'
802.1x with VLAN assignment is available only in the latest IOS - or at least since 12.1(22).
SNMPv3 is supported.
HTH
Andy -
871 802.1x with vlan assignment aka dynamic vlan
you can do vlan assignment on 871W wireless using the local radius server but unfort only LEAP which is N.G.
I have been pounding on wired 802.1x PEAP (which works) trying to get vlan re-assignment. Have tried with IAS which I am using to do vlan reassignment with the WLC so I have the idea of how it works with IAS. With 871, no go. Have also tried ACS for radius with same results: can't escape the switchport's vlan. With debug radius local you can see the tunnel attributes for reassignment plainly but with debug radius with IAS or ACS, nada.
Using 12.4(6)T advanced IP.
I have just seen that 12.4(4)CX2 has "802.1x with vlan reassignment" but the download is MIA. Wonder what's up with that?
Has anybody got this to work? Any info much appreciated
Greg TurnerSSH isn't available on the SI version of the 2950 as you require the Crypto features and these are not available for the SI (the documentation is a little vague here but trust me I have upgraded one and it doesn't like it...). The documentation says 'Switches that support only the SI cannot run the cryptographic image.'
802.1x with VLAN assignment is available only in the latest IOS - or at least since 12.1(22).
SNMPv3 is supported.
HTH
Andy -
What is the equivalent implementation of isr ios cli "ip tcp synwait-time 10" on asa cli
I would like to see an implementation of an ISR IOS cli:
ip tcp synwait-time 10
on an ASA cli. thank you much in advance.Hi Oscar,
this is supported but you need a class-map type management:
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/mpf_service_policy.html#wp1167296
TCP and UDP connection limits and timeouts, and TCP sequence number randomization: supported for management traffic...
access-list CONTROL_ACL extended permit tcp host 1.1.1.2 interface outside eq https log
access-list CONTROL_ACL extended permit tcp host 1.1.1.2 interface outside eq ssh log
class-map type management CONTROL
match access-list CONTROL_ACL
policy-map global_policy
class CONTROL
set connection conn-max 1
service-policy global_policy global
In my tests, it worked for SSH but not for HTTPS:
ciscoasa(config)# sh conn all
2 in use, 2 most used
TCP outside 1.1.1.2:38670 NP Identity Ifc 1.1.1.10:22, idle 0:00:38, bytes 20, flags UfrOB
TCP outside 1.1.1.2:26470 NP Identity Ifc 1.1.1.10:443, idle 0:00:02, bytes 0, flags UB
After other sessions:
%ASA-7-710005: TCP request discarded from 1.1.1.2/25085 to outside:1.1.1.10/22
%ASA-3-201011: Connection limit exceeded 1/1 for input packet from 1.1.1.2/25085 to 1.1.1.10/22 on interface outside
ciscoasa(config)# sh conn all
4 in use, 5 most used
TCP outside 1.1.1.2:41726 NP Identity Ifc 1.1.1.10:443, idle 0:00:43, bytes 0, flags UB
TCP outside 1.1.1.2:26087 NP Identity Ifc 1.1.1.10:443, idle 0:00:45, bytes 0, flags UB
TCP outside 1.1.1.2:33312 NP Identity Ifc 1.1.1.10:443, idle 0:00:47, bytes 0, flags UB
TCP outside 1.1.1.2:26470 NP Identity Ifc 1.1.1.10:443, idle 0:00:04, bytes 0, flags UB
Somehow, 0 hitcount on HTTPS ACL...
ciscoasa(config)# sh access-list
access-list CONTROL_ACL line 1 extended permit tcp host 1.1.1.2 interface outside eq https log informational interval 300 (hitcnt=0) 0x59b7aa4c
access-list CONTROL_ACL line 2 extended permit tcp host 1.1.1.2 interface outside eq ssh log informational interval 300 (hitcnt=8) 0x31fe983c
ciscoasa(config)# sh asp drop
Frame drop:
Flow is denied by configured rule (acl-drop) 2
First TCP packet not SYN (tcp-not-syn) 49
Connection limit reached (conn-limit) 2
FP L2 rule drop (l2_acl) 48
Flow drop:
SSL bad record detected (ssl-bad-record-detect) 3
ciscoasa(config)# sh service-policy
Global policy:
Service-policy: global_policy
Class-map: CONTROL
Set connection policy: conn-max 1
current conns 1, drop 2
you can also control each feature timeouts seperately via:
telnet/ssh timeout 1
http server idle-timeout/session-timeout 1
Note: I tried this in GNS (asa 8.4.2) and using telnet from a router (not using a real browser for HTTPS) so the results might not be reflect a production environnement...
Patrick -
Managing Routers running IOS Firewall
I have to create a lab network that is firewalled off from the main production network. I'm thinking of connecting it via routers running firewall IOS (Reasons for not using ASA's? Expected low throughput, demanded low cost, the usual suspects).
I'd like to have two routers running active/passive. Questions:
1) can I run two IOS firewalls in Active/passive
2) is there a way of managing them other than manually replicating the config changes from one to another every time I make a config change?
All comments/help appreciated (even if the comments are "Don't be so stupid :) )
Thanks,
JimAt first I would say that it is not possible with IOS firewall, but after Googling it a bit it seems that it's possible to have A/S with IOS firewall.
Here are couple useful links that I am sure you will love:
Cisco IOS Stateful Failover - this is for general routers running 12.4T
IOS Classic Firewall - this is for 3800 platform.
You can find the requirements and the restrictions on above links. Regarding your second question, unfortunately it is one of the restriction. It doesn't support configuration synchronization. -
Deploying IOS firewall feature set
Hi All,
We are trying to deploy firewall feature in the 2811 router by suing the SDM 2.5. We choosed option for basic firewall setup. It required us to choose trusted and non-trusted interfaces and we did the same. It added access-list inbound on the trusted interface and ip inspect command on the un-trusetd interface.
Also,Intially we want to allow all traffic from untrusted-interface to the trusted interface,so we manually allowed permit ip any to inside network block ?---Is that right ?
We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?
Any help would be really appreciated
Thanks
Regards
Anantha Subramanian NatarajanHello Anantha,
"Also,Intially we want to allow all traffic from untrusted-interface " That would entirely break the idea of deploying the IOS Firewall. Nature of statefull firewall that comes with IOS firewall feature set is, to block all traffic from an untrusted interface by default, then only allow the return traffic of connections, originated from a trusted interface (inspection). And you also can permit some traffic that you trust manually.
"We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?"
If the inspection rule is applied to oubound direction of untrusted interface, feel free to unset other interfaces as trusted.
Regards -
"permit tcp any any established" and IOS Firewall
Guys, I need some clarification here. I have already asked couple TAC guys but they either did not know the answer right away or they wanted to send me to another team who might answer it...
I have a single router. One LAN, one WAN. It is an 800 series router and IOS Firewall feature is turned on as follows:
ip inspect name IOS_Firewall tcp
ip inspect name IOS_Firewall udp
ip inspect name IOS_Firewall icmp
interface FastEthernet4
ip address dhcp
ip access-group 161 in
ip nat outside
ip inspect IOS_Firewall out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map mymap
access-list 161 permit udp any any eq ntp
access-list 161 permit udp any any eq bootpc
access-list 161 permit tcp any any established
access-list 161 permit icmp any any
access-list 161 permit esp any any
access-list 161 permit gre any any
access-list 161 permit udp any any eq isakmp
access-list 161 permit udp any any eq non500-isakmp
access-list 161 permit udp any eq non500-isakmp any
access-list 161 permit udp any eq isakmp any
access-list 161 permit udp any eq domain any
access-list 161 permit tcp any any eq telnet
access-list 161 permit tcp any any eq 1723
access-list 161 permit tcp any any eq 4500
access-list 161 permit tcp any any eq 5000
access-list 161 permit tcp any any eq 5500
access-list 161 deny ip any any log
My question is, is the statement "access-list 161 permit tcp any any established" required since I already have the IOS Firewall feature turned on?
Thank youNo you do not need it with CBAC's TCP inspection enabled.
-
IOS Firewall doesn't install .pak file
Hi
I'm installing a new pack of signature on my IOS Firewall. This is what I'm doing
1.- Upload the .pak file on the flash memory.
2.- Install the package with the command copy flash:IPS/IOS-S636-CLI.pkg idconf but when the insallation finish it doesn't bring any error but when I enter the command sh ip ips sig it says S0.0
Does anybody got this problem before.
RegardsHi
The file is already installed in the flash,
Router#sh flash
-#- --length-- -----date/time------ path
1 0 Nov 01 2011 00:30:32 IPS
6 87141 Feb 18 2013 23:25:58 IPS/sat485b-isr2821-1-sigdef-category.xml
7 14685484 Feb 18 2013 23:11:34 IPS/IOS-S636-CLI.pkg
And after I finish the transfer of the file into the flash I try to install the .pak file
copy flash:ips/IOS-S636-CLI.pkg idconf
And it takes like 1 minute and after I finish I didn't get any error but the signature are not installed
I also try this
copy tftp://189.206.211.16/IOS-S636-CLI.pkg idconf
but I got the same result.
The path of the signature is configured
ip ips config location flash:/IPS/ retries 1
Regards
Maybe you are looking for
-
Document typewise sending Purchase Order to XI
Hi, I've configured IDOC to File Scenario in XI for Purchase Order. Used ORDERS05 as idoc type. Whenever i create the PO in ECC, IDoc is created & sent to XI as per my configuration. Fine. Now, not all POs created should reach XI, only some particula
-
Sending e-mail alerts in Microsoft Project 2010
I'm using Microsoft Project 2010 in creating my project. While adding my tasks I want to be able to send an e-mail alert to my resources indicating a task is coming up or the task is overdue. What do I have to do?
-
Envelope printing Photosmart 6520 series
I am having a problem printing envelopes other than #10 from varioous programs. I keep getting mismatched paper messages. I am particularly interested in C5 which are supposed to be supported okay. I have gotten 1 or 2 out in odd ways, so I know it
-
Can't double click include files within page to open them in CS3
In Dreamweaver 8, if I had a page that had an include file in, and I wanted to edit the include file, all I had to do was double click the include within the page I was working on, and the include file would open up. This doesn't work in CS3 for me a
-
Takes half a minute to connect to wifi after sleep
I close the lid and my macbook goes to sleep but it take 20 seconds to 30 secs to reconnect to my wifi. Anything I can do?