Help with Cisco IOS Firewall

[diegolangamer]

Hello dears!

Initially, sorry for my english.
I have a environment with a Cisco 1841 (IOS version 15.1) and i need enable the IOS Firewall. I need a help because i'm don't have experience in make with no risk on production.

Well, this router is a internet concentrator on my site (including Mail, OpenVPN traffic, Http/Https access, FTP, MSN e etc...) and have 3 Hubs (Cisco 800 series) connected via DMVPN with OSPF and fully functional.

Anybody can help me to configure this firewall without risk in this scenario?!

Thanks!

 

[3t0n1c]

What is your firewall right now?
Do you use NAT in you current setup?

What do you mean you have 3 hubs? You mean your network is segmented in 3 subnets?

Try to explain what you have currently running and where you want to get. Really replace your current firewall (what is that ?) with your 1841 running IOS access-lists and nat?

Good luck.

The more you learn, the more you realize how much you don't know.

 

[diegolangamer]

3t0n1c, thanks for reply !

I need to configure a FW is in the c1841 (first site). I forgot to say that i have a IP Tables firewall after this router, but, i like to block the incoming malicious traffic directly on router. The server than contains IP Tables is who makes the NAT.

About DMVPN, i mean exactly this, the 3 hubs is a 3 different segments of network (my network=192.168.0.0, hub1=192.168.5.0, hub2=192.168.6.0 and hub3=192;168;7;0)

I only need to activate the FW to incoming unrecognized traffic to improve a little security on my environment. I don't need really configure this firewall very advanced because i yet have my IP tables firewall.

Thx!

 

[3t0n1c]

Honestly if you already use iptables (I assume a Linux box) you could drop all the malicious, DoS, ping-of-death, etc on the external interface of that machine.

I think your 1841 is just overkill.

However if you insist, I can drop you some lines on what you need to put in the config to filter out some garbage on the external interface of the 1841 (assuming you know how to set it up for your environment).

Let me know.



The more you learn, the more you realize how much you don't know.

 

[diegolangamer]

Thanks for your tip, 3t0n1c!

Really you have reason!
What type of config you tell me to do that?! I will only test it?

Thx one more time!

 

[3t0n1c]

Well you can drop packets either at your current iptables (on the outside interface aka eth0) or if you still want to use your 1841, then you can use access-lists.

Before anything setup your 1841 to just pass traffic between your isp and your iptables box. If you can do that successfully without any filtering on the 1841, only then I would go ahead and setup some access-lists on there.

Let me know how you make out.

The more you learn, the more you realize how much you don't know.

 

[MrOyvind]

You can use CBAC, or the newer Zone based policy firewall on this router (creating security zones for each interface). CBAC and ZBF is safer than access-list, using stateful inspection taht tracks port numbers and sessions.
ZBF is easier.
Also you can buy and NME module for IPS (Intrusion prevention system)1841 that scans for worms, virus etc. using deep packet insepection. You can also use IPS signatures without module (IOS-signatures).

Oyvind

 

[Quadratic]

To start with, Cisco 800's are neither hubs nor subnets - they're routers.

Having said that, the first question is how to configure an IOS firewall, so our answer can't just be that we think he should consider the IOS firewall.

Here is a Cisco doc with some detail on configuration, including samples. If you need more detail than that, you'll have to be a bit more specific of how you want this implimented.

http://www.ciscosystems.com.pe/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/fw.pdf

CCNP, CCDP