Do I need IOS firewall feature set on Catalyst 6500 for FW blade?

Similar Messages

• Deploying IOS firewall feature set

  Hi All,
  We are trying to deploy firewall feature in the 2811 router by suing the SDM 2.5. We choosed option for basic firewall setup. It required us to choose trusted and non-trusted interfaces and we did the same. It added access-list inbound on the trusted interface and ip inspect command on the un-trusetd interface.
  Also,Intially we want to allow all traffic from untrusted-interface to the trusted interface,so we manually allowed permit ip any to inside network block ?---Is that right ?
  We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?
  Any help would be really appreciated
  Thanks
  Regards
  Anantha Subramanian Natarajan

  Hello Anantha,
  "Also,Intially we want to allow all traffic from untrusted-interface " That would entirely break the idea of deploying the IOS Firewall. Nature of statefull firewall that comes with IOS firewall feature set is, to block all traffic from an untrusted interface by default, then only allow the return traffic of connections, originated from a trusted interface (inspection). And you also can permit some traffic that you trust manually.
  "We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?"
  If the inspection rule is applied to oubound direction of untrusted interface, feel free to unset other interfaces as trusted.
  Regards

• Firewall feature set on router

  We have a router connected to the internet with the firewall feature set on it.  NAT is also being done (internet interface outside, LAN interface inside)
  There is an ACL applied to the internet interface in an outbound direction blocking all RFC 1918 adddresses, but the the internal network (192.168.1.0) still gets out, is this because NAT occurs before the outbound access-list is processed?
  Thanks

  What if someone horks up the vlan config accidentally or plugs something into the wrong port? Relying on that single layer for security is a bit risky, but that's just my opinion.
  Do you use just VLAN isolation elsewhere in your perimeter as the sole network security control?
  Out of curiousity, if it's open auth, how do you prevent company assets from connecting?

• HELP needed on Remote Management set to allow access for all users

  my mac mini snow leopard server runs in a data center and i use screen sharing to interact with it. i played with the sharing settings remotely yesterday and changed "allow access for" to all users. i was disconnected immediately and i couldn't logon again. i have no luck changing to other users. i don't want to make a special trip to the center to change it back to whatever it used to be. i can still use afp to connect but the screen sharing option is no longer available. what does "allow access for all users" mean anyway?
  thanks!

  As its name implies, allow access for all should allow any valid user account to access the server. I'm not sure why it's no longer working. It almost sounds like the ARDAgent crashed.
  Either way there's a command-line interface to the ARD preferences:
  /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/ki ckstart
  man kickstart discusses the options, including examples of how to enable access for specific users.

• Do I need to have it set to Game Mode for Alchemy to wo

  I have the dreaded cracking/popping right now and for whatever reason this goes away when I put my X-Fi into either Entertainment or Audio Creation mode.
  Can I keep the settings in Entertainment mode and still have ALchemy give me EAX when I run Alchemy supported games?

  Yes you must be in gaming mode, you have to run ALchemy and add your games, then switch them to the enabled side. http://img65.imageshack.us/img65/722...2007098su2.gifBut now my game performance sucks, I had way better fps with my SB Live! 5.

• CSM 4.5 Event Manager for IOS firewall on routers?

  Hi,
  Can anyone confirm fo me whether it's possible to send syslog messages from routers running IOS firewall feature set to CSM, so that the events appear in CSM Event Manager, similar to the way that ASA's do?
  I've setup one of my routers to do this and have confirmed using wireshark that the syslog packets are received on the CSM 4.5 machine, but they don't seem to turn up in Event Manager.
  This would be an extremely useful feature if I can get it to work!
  Thanks,
  Matt                  

  Hello friends,
  Please, allow me to resurect this old post. 
  I have already installed CSM 4.4 and I am already managing an ASA through CSM. I have configured CSM according to next the User Guide.
  http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-4/user/guide/CSMUserGuide_wrapper/evntchap.html
  I am not able to see the Events in the Event viewer client. Would you give me an advise about how to troublehoot that?
  Regards!

• IOS Firewall vs. ASA

  Is there a document that compares the security funtionaly and features of the ASA and the IOS firewall. I need to document why I would want to deploy ASA's at branch locations versus the firewall feature set on the WAN routers.                  

  Hello Sonepar,
  It really depends on the engineer’s viewpoint. Some prefer to have a single device do their routing and their security, while others prefer to have dedicated security devices. This reasoning, however, does not really determine what the “best” solution for your network is.
  One difference is that the IOS router starts out by allowing all traffic [on your untrusted interfaces], where as the ASA starts by denying all traffic. Consequently you have to configure the actual hardening of your IOS router. I will say the ASA typically offers faster performance, but that’s partially because the ASA is sort of a 1 trick pony and not doing any dynamic routing.
  I think one of the main things to consider is the complexity of VPN features desired. The ASA’s feature set is relatively limited in this respect. If you want to leverage more advanced features like DMVPN or GET VPN, and IOS router is your only option as the firewall does not support those. Of course by default, the ASA performs a little faster on VPN tunnels.
  If you’re looking for an appliance to just do traffic inspection, predominantly for a web DMZ or publicly accessible network, probably the ASA is your best bet. If however you have a highly decentralized -internal- network where branch offices frequently talk to each other, then you would benefit from something like DMVPN, thus your deployment would be greatly simplified using something like a 2800.
  Policy Base Routing on ASA is not supported since it is a security device it only routes traffic through one active default gateway and it can not classify packets based on source/service like router does.
  In my personal preference, I find myself moving away from the philosophy of this specialized device for routing and this specialized device for security. I prefer to simplify my deployments, and believe me w/ NAT, VPNs, Firewall, IPS, having an ASA sitting behind your border router…it can add a significant amount of complexity to your design…and ultimately, your troubleshooting.
  Again; at the end all depends on your company requirements and what are you looking for.
  Regards,
  Juan Lombana
  Please rate helpful posts.

• "permit tcp any any established" and IOS Firewall

  Guys, I need some clarification here. I have already asked couple TAC guys but they either did not know the answer right away or they wanted to send me to another team who might answer it...
  I have a single router. One LAN, one WAN. It is an 800 series router and IOS Firewall feature is turned on as follows:
  ip inspect name IOS_Firewall tcp
  ip inspect name IOS_Firewall udp
  ip inspect name IOS_Firewall icmp
  interface FastEthernet4
  ip address dhcp
  ip access-group 161 in
  ip nat outside
  ip inspect IOS_Firewall out
  ip virtual-reassembly
  duplex auto
  speed auto
  no cdp enable
  crypto map mymap
  access-list 161 permit udp any any eq ntp
  access-list 161 permit udp any any eq bootpc
  access-list 161 permit tcp any any established
  access-list 161 permit icmp any any
  access-list 161 permit esp any any
  access-list 161 permit gre any any
  access-list 161 permit udp any any eq isakmp
  access-list 161 permit udp any any eq non500-isakmp
  access-list 161 permit udp any eq non500-isakmp any
  access-list 161 permit udp any eq isakmp any
  access-list 161 permit udp any eq domain any
  access-list 161 permit tcp any any eq telnet
  access-list 161 permit tcp any any eq 1723
  access-list 161 permit tcp any any eq 4500
  access-list 161 permit tcp any any eq 5000
  access-list 161 permit tcp any any eq 5500
  access-list 161 deny   ip any any log
  My question is, is the statement "access-list 161 permit tcp any any established"  required since I already have the IOS Firewall feature turned on?
  Thank you

  No you do not need it with CBAC's TCP inspection enabled.

• Cannot trace to hosts on ISR's using FW feature set

  The issue is that we can trace between networking equipment on tunnels involving the ISR routers using Firewall feature set, but we cannot trace to hosts. For example from (US)AS1, I can trace to (UK)CS1's 192.168.1.2 ip address, but not to host that I find in the arp table for that vlan. I have added ICMP TTL exceeded and TTL time-outs to the ACL's, but it still does not work.  Any helf would be greatly appreciated

  Elijay, You stated that you are using ISR's. Are you perhaps running inspection? If so, you may want to check your ICMP rules for router-traffic and timeouts. You may want to increase the timeout setting.

• My iphone 4 wont turn on unless its on charge, but i need ios 6 update? whilst its on charge it says i have to connect to itunes but the phone turns off before i have plugged it in the computer

  NEED HELP UPDATING
  MY PHONE WONT TURN ON ONLY WHILE IT ON CHARGE
  BUT I NEED IOS 6 UPDATE

  Hello, chloea_2012. 
  Thank you for using Apple Support Communities. 
  Here are a couple articles that will help troubleshoot this issue. 
  iOS: Unable to update or restore
  http://support.apple.com/kb/HT1808
  iPhone: Hardware troubleshooting
  http://support.apple.com/kb/TS2802
  If you receive any error messages while updating your iOS device, this article provides some helpful troubleshooting steps. 
  iTunes: Specific update-and-restore error messages and advanced troubleshooting
  http://support.apple.com/kb/TS3694
  Regards,
  Jason H. 

• IOS feature set

  Guys I'm sure this is a goofy question but I can't seem to find the answer.
  I am wanting to know where a can find the difference between the different feature sets?
  Example: Entrprise plus, ip, ip plus, remote access server, etc etc
  Is there a feature break down of sorts that I can look to know whether I want the ip or ip plus feature set etc etc
  Thanks
  Jimmy

  Hi
  there are various types of packages which are defined for specific functions for eg. IP routing, Advanced routing, VPN encryption , voice etc.
  Cisco has made different types of packages for different reqirements.For Eg. If a customer is a simple SMB, the he can go for a simple IP feature IOS set.If its an corporate, he needs advanced functionalities such as BGP etc.So he can have IP/PLUS IOS feature set. and so on.....
  Please view the IOS packaging guide at the following link
  http://www.cisco.com/en/US/products/sw/iosswrel/ps5460/index.html
  The following is the link for router's IOS
  http://www.cisco.com/en/US/products/sw/iosswrel/ps5460/prod_bulletin09186a00801af451.html
  And the following is the link for Switchs
  http://www.cisco.com/en/US/products/sw/iosswrel/ps5460/prod_bulletin0900aecd80281b17.html
  Hope that will help.
  Pls rate helpful posts.
  Regards
  JD

• Asking for IOS Feature Set

  Hi!
  Im planning to upgrade the IOs of our Cisco 7206 router. Just would like to clarify if what feature set does C7200-IS-M is? Actual output from "sh ver: (C7200-IS-M) 12.0(6)W5(14).
  Thanks in advance!
  udimpas

  Hello,
  Thanks for the reply. One more clarification, I have checked with the software advisor but IP Plus has a code of IS-MZ for newer versions. Or maybe because early versions(12.0) of IP Plus has a different code?
  Thanks again.
  Regards,
  udimpas

• IOS Firewall with EasyVPN - What ports need to be opened?

  I can not establish a VPN connection from my VPN client while outside, but can from inside. I assume I need to open a port on my IOS firewall but I am not sure which one. I opened isakmp but that didn't help.
  This is a 2801 with 12.4(15)t. Any Suggestions? The config is attached. Thanks!

  do the following change
  interface Virtual-Template2 type tunnel
  interface FastEthernet0/1
  after u get connected u will have problem that the vpn client will get connceted and get IP from the pool but can not communicate with inside hosts!!!
  becuase u need to exmpt the traffic going from inside network to vpn pool from nating
  u can do it is in ur nating ACL make first line as deny source ur LAN destination vpn pool and i would suggest u to use ip addresing for u vpn pool diffrent that the LAN rnage to avoide any subneting issues
  good luck
  if helpful Rate

• Filtering packets w/ IDS feature set based on TTL?

  Is it possible to filter and block packets based on TTL using the IDS feature set on a 2611 router? I'm a small ISP, and I'm looking for a way to prevent people from using ICS or routers to share their connections.
  Mike
  CCNA

  The Cisco IOS Firewall Intrusion Detection System (IDS) acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router, scanning each to match any of the IDS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog. The network administrator can configure the IDS system to choose the appropriate response to various threats. When packets in a session match a signature, the IDS system can be configured to:
  Send an alarm to a syslog server or a Cisco NetRanger Director (centralized management interface)
  Drop the packet
  Reset the TCP connection

• 3945 Router Issue between WAAS Module and IOS Firewall

  I have a new 3945 router with a SM-SRE-900 module for WAAS. The 3945 also has IP inspection configured. When IP inspection and WCCP redirection running at the same time, user connections to data center were all lost. If just IP inspection or WCC Rredirection but not both, user connections were good.
  I'm feeling the problem is IP inspection not WAAS aware. I tried "ip inpsect waas enable", but the command was not available. The 3945 router, SM-SRE module, and the IOS code, are all newest versions. So I was wondering if anyone has seen the similar issues and had experience of enabling WAAS through IP inspection on those new products.
  Here is the configuration info:
  3945 G2 ISR: IOS 15.1(1)T1;
  SM-SRE-900: WAAS 4.2.3 build7;
  3945 LAN interface: ip inspection in and ip wccp 61 redirect in
  3945 WAN interface: ip wccp 62 redirect in
  3945 SM 1/0 interface: internal connection to SM-SRE module
  Between 3945 and SM-SRE module: WCCP GRE redirection and IP Forwarding return.
  If you are aware of any 15.1(1)T1 bugs that may be related, please let me know too.
  Thanks for any help.

  Hi,
     This is in general for IOS / ISR. On CCO we have a very good document for ZBFW and WAAS intigration, see below
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew_ps10592_TSD_Products_Configuration_Guide_Chapter.html#wp1118498
  If you still need to run CBAC, then recommended solution in my first post should work for you.
  If the router is in the middle of TCP optamization path, then depending upon optamization product you need to configure the firewall feature like anyother firewall. for Cisco WAAS we have "ip inspect WAAS enable".
  Hope this has answer your question. Thanks.
  Ahsan Khan