Cisco 2651XM Firewall and VPN

[ddesignnnc]

Hi All,
I have a 2651XM that is supposed to have the feature set for firewall and 3DES VPN but I have no idea how to implement either. I have been reading up on VPN for general information but Cisco's site has an overwhelming amount of information and I can't figure out what to look at and what to ignore. Also, I understand that presently I am only doing NAT and ACL which is not truly implementing the firewall portion of the IOS. If this is true, how do I activate the actual firewall portion of the IOS? I have version 12.2, not sure how to find out which release of 12.2 I have. Thanks for any assistance you all can provide a newbie.

 

[vuongxibul]

Hi ddesignnnc,
please let me know how many Megabyte have you got in flash and Ram. I guess 16MB flash and 64MB ram. I think when you have that resource. you should configurate your router as firewall or as a VPN site.

 

[dopehead]

Maybe this link can help you with VPN, if it is VPN Clients you wan't connecting to the router.

http://www.cisco.com/en/US/netsol/n...g_solutions_white_paper09186a0080186fda.shtml

As for Firewall, you really should seek prof. assistance for a firewall config, if you don't know how. Anywho here is a link for some sample configs for the firewall.

Basically you define a set of application/ports that the firewall should inspect on (like h323,tcp,udp,cuseeme and so on) Then you create an acl that denies everything and apply it incoming on your outside interface. And apply ip inspect outgoing on the outside interface. This will create dynamically openings in the ACL on the basis of the sessions that are opened from inside, so that the returntraffic is allowed. This means that you also have to open ports in that acl for traffic that is initiated from the outside, like mails to a server or a webserver.

http://www.cisco.com/en/US/products...figuration_guide_chapter09186a0080161135.html

Hope this helps you.
Jan

 

[pdath]

You need to check out how to use "inspect" lists. Take a look at:

http://www.ifm.net.nz/cookbooks/

for many examples. Here is quick primer. First create an inspection list.

ip inspect name Dialer_0 tcp
ip inspect name Dialer_0 udp
ip inspect name Dialer_0 cuseeme
ip inspect name Dialer_0 ftp
ip inspect name Dialer_0 h323
ip inspect name Dialer_0 rcmd
ip inspect name Dialer_0 realaudio
ip inspect name Dialer_0 streamworks
ip inspect name Dialer_0 vdolive
ip inspect name Dialer_0 sqlnet
ip inspect name Dialer_0 tftp
ip inspect name Dialer_0 icmp


Then apply it along with an access-list to an [outbound] interface.

interface Dialer0
ip access-group 101 in
ip inspect Dialer_0 out

A sample access-list.

access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 deny ip any any log

 

[rcasta]

What about when configuring the VPN? Shouldn't it be also configured a rule for the firewall to let this traffic go through?

cheers,

 

[oggy1]

I suggest you download and install Cisco's SDM, Security Device Manager software. This is TFTP'ed to the flash on the router alongside the IOS image. You can then configure the router using a fairly intuitive web interface (you need to install a Java plugin first on your PC, obtained from Cisco/Sun). The FW option automatically creates the FW inspection list for you, and if you have created a VPN it creates an access list to allow the relevant ports. I was sceptical until I used it. Give it a go. But not on a production environment while you are figuring it out!

 

[ASofyan]

Hai , friends , I hope all is ok

i need help to configuration about my router, i did'nt configuration function firewall on my router cisco2620XM.
IOS version 12.2(8)4T, when i first using function IP inspect in global configuration, that command not running.

Can you help me friend ?

Thanks

Best Regards
Achmad Sofyan