Cisco Routers :: 881 With Firewall Features Enabled
Jul 13, 2012
I am doing a security assessment of an organization that uses 871/881 routers with the firewall features enabled. I see the following commands defining packet inspection done by the firewall software.
-ip inspect name inet-users tcp
-ip inspect name inet-users udp
-ip inspect name inet-users icmp
What I am trying to define is the inspect name "inet-users". It is obviously a constant defined by IOS as it is not defined anywhere in the configuration file like any other "variable" and does not generate an error.What does "inet-users" define? I'm assuming it is all users using the interface(s) where the inspect commands are used, but is that correct? The Cisco IOS manuals do not contain a reference to "inet-users" hence why I'm here asking.
this is regarding my RV042. Its firmware version is v4.1.1.01-sp (Dec 6 2011 20:03:18), unchanged from how I received it. I purchased less than a month ago. I have a problem wherein the firewall behavior is not what I expect it to be, where I expect only allowed ports/services to be open to a given private IP from the outside but am finding that all are open to that private IP!
Let me describe the current configuration. I am going to blank out all digits of the public IP addresses when discussing them except for the final digits for security reasons.Router's WAN1 is set up as static, X.X.X.189. This is part of my public IP block. WAN2 is disabled. One-to-One NAT is enabled. Three instances of it are set up. One, for example is 192.0.2.89 (a private IP) mapped to X.X.X.180, a public IP, part of our public block. Forwarding is not enabled. There is no DMZ Host. That is set to 192.0.2.0. Firewall and SPI are Enabled. Access Rules for the firewall are set up in addition to the default rules which are present to Deny all traffic with WAN1 and WAN2 as the source from any source to any destination. This to me means that unless I set up Allow actions, there should be no access from the outside, WAN1. As an example of one of my Allow rules, I have this:
Action: Allow Service: HTTP Log: Not log Source interface: WAN1 Source IP: ANY Destination IP: Single, 192.0.2.89 Time: Always
My problem: My expectation is that based on the One-to-One NAT setting, the public IP X.X.X.180 is now associated with the private IP 192.0.2.89, but nothing from public to private is allowed unless allowed by the firewall, which is only set to allow HTTP / port 80 to 192.0.2.89. But the behavior is that 192.0.2.89 is, as presently configured, open to everything from the associated public IP, not just port 80, but all ports! It is as if my firewall rules have no impact whatsoever.
Recent incountered an issue with our elastix pbx and packet loss. Noticed this morning that when I turn on the firewall on our RV082, packet loss begins around the level 3 servers I see in my traceroute, and then slow spread out to all hops. When I turn the firewall back off, all hops have no packet loss or less than 1%. The weird part is, previously, I had the firewall enabled, and never had this issue.
I recently installed an RV042 v1.1 vpn router (older hardware revision but using the latest available firmware 1.3.12.19-tm) and set up VPN access with the QuickVPN client. QuickVPN requires that the HTTPS setting be enabled under the Firewall options, so I did. I then scanned our static IP with grc.com's ShieldsUP! to check for open or non-stealthed ports and discovered that ports 80 and 443 show as wide open, while port 113 is closed but not stealthed. If I disable the HTTPS setting under Firewall, then ports 80 and 443 become stealthed. Is there any way to use QuickVPN and keep these ports stealthed?
The unit is configured as internet gateway. 4 NAT ports are active. When firewall disabled all works fine. When firewall enabled I do get connection lost at random interval. In firewall only 4 rules added to the default 3 rules. The added rules are:
1/ permit 192.168.1.22 port 25 to any 2/ permit 192.168.1.27 port 25 to any 3/ permit 192.168.1.10 port 25 to any 4/ deny any port 25 to any
I do get at random times connection lost when navigating with windows explorer on a PC with IP 192.168.1.x to a share on a PC with IP 172.25.152.74. The same happens when copying files. Sometimes it works, later it fails or reties are needed. When the firewall is switched off all runs fine.
Ping from 192.168.1.x to 172.25.152.74 allways give a <1ms response
Is there a RV082 perfomance problem or do I have a configuration problem?
I have a RV042 router on a single WAN and an internal LAN. I have configured port forwarding as follows: HTTP[TCP/80~80]->10.0.0.6HTTPS[TCP/443~443]->10.0.0.6IMAP[TCP/143~143]->10.0.0.5IMAP SSL[TCP/993~993]->10.0.0.5SMTP SSL[TCP/587~587]->10.0.0.5
Everything works just fine when I have the firewall DISABLED. However, when I enable it the behaviour is erratic. 1 out of 10 attempts to connect to ANY port forwarded works. Almost all attempts time out. Notice that this happens even if using only the default firewall rules (which should be bypassed by the port forwarding as I read in other posts).
My second try was to create firewall rules manually, overriding the default ones. I tried adding rules from source WAN1 (where my connection is) to ANY and to SINGLE IP's on every port. Nothing seems to work.
I don't know what I'm doing wrong, this is really bugging me. I had to turn the firewall off so we can access our servers from outside the office. This shouldn't have to be done.
Just found out that my firewall is getting LOTS and LOTS of Blocked - SYN Flood entries. I think this is why we are having trouble with the firewall. Could this be the problem? I have no idea where all these SYN packets are coming from since they appear with spoofed IPs or come from different bots all over.
I just purchased a SA 520 and I am trying out the IPS feature before I buy. During my tests I get around 85 Mbps off a 100 Mbps connection (which is relatively normal), however as soon as I enable IPS with very few options (Trojan/virus, HTTP, etc), it drops down to 18 or so. Anyway to improve this?
After configuring the router and enabling a load of functions to secure our LAN, the download speed halved! Even disabling AcitveX "eats" 10Mbs! I understand that enabling IPsec will drag the speed down to 25Mbps, but I have disabled this.
Even setting the QoS to speeds equal or higher then the ISP's promissises drags the speed down!
The products from SRP 540 series line (541w etc) will ever support IPv6 features or remote VPN (eg SSL VPN or Cisco QuickVPN)? If yes, is there a time horizon?
My current network setup has pix 525 firewall and for IDS i have 4215 box.As the utilization is high i am buying new ASA5520 firewall.
My query is 1 My IDS is end of support should i buy an IPS moudle with the asa 5520.is it recommended? 2 Other than firewalling what are the default features supported in asa 5520 like vpn,content filtering etc.
url...For the New Firewalls i.e. 5512X , 5515X etc there seems to be integrated IPS and we don't need to order any extra license or part number to get the IPS features .
But for the 5585X It says 2Gbps for SSP10 engine but I have seen in the Dynamic Configuration Tool that SSP10 and IPS-SSP10 are different things . Which means that I will have to order 2 service engines SSP10 and IPS SSP10 to get the IPS features and if I only order SSP10 with that Chasis I will only get firewalling ?
how do I verify if CG-NMS is enabled on ASA5520. I just need to know if it's enable/install to be enabled and used?Cisco Adaptive Security Appliance Software Version 8.0(5)28..Device Manager Version 6.1(5)51
We have several RV082s here which are intended to connect to a central ASA5510 firewall. The VPNs are configured and do work basically, however in our test environment the RV082s kept crashing after an apparently unpredictable amount of time (sometimes after several days or even weeks). All the RV082 have the newest firmware installed (v4.1.0.02-tm).
When further investigating the issue, I found out that the crashes can be reproduced when enabling the keep-alive option on the RV082. When powering up the RV082, they boot, start up the VPN, and then they crash a few seconds after the tunnel has been established (one or two pings usually get through). When crashing, the RV082 becomes completely unreachable, ie no ping, no webinterface etc.
There is a note in the firmware release notes saying that enabling the keep-alive option would not work the way it should. However it seems that enabling that option lets the router completely crash after its next reboot. This makes the keep-alive option basically worthless, however we need this since the routers will get installed at remote sites with no personnel available there.
Is there any way to enable the keep-alive option without making the routers crash immediately after startup?
I should upgrade ASA 5550 with nat controller enabled, from 7.2 to 8.x, I've been reading nat is differently configured up from release 8.3. So I choosed to upgrade to 8.2 release.
I have upgraded to the new RV042G to take advantage of the gigabit Ethernet speeds and to prepare for when our ISP upgrades our bandwidth. I currently use the RV042 with Protect Link enabled to filter out various categories from our network traffic. I noticed that this feature is not included with the RV042G.
Is this something Cisco will decide to add back in later? In the meantime, how to block content on the network? The basic URL and keyword filter will not meet our needs, since it is much easier to let a service such as Trend Micro manage what is blocked in the categories they offer.
I am using the router DIR-825 together with a modem-router DSL-526B. After reading many posts, I understand that I have to bridge the DSL-526B and use the more complete DIR-825 under PPOE to connect to Internet. However, when bridging the DSL-526B, the settings are showing after setup that the firewall and NAT are enabled whereas, when looking at the quick bridging setup in the manual, it seems that they should be disabled. My questions are therefore:
In bridging mode, can the firewall and NAT remain enabled, what can possibly create a conflict with those of the DIR-825 or create complication? If yes, how to disable them, as no option for doing it in the briging quick set up?
Im notice after configure the trend micro url filtering on a Cisco 2821 high latency on Http navigation, the latency on the ping for the requests shows a 245ms latency, but if i disable this feature on the router, returns to normal navigation and decrease the latency up to 70ms.
I am getting this error on my PIX 535 with 8.0.4 code. The error is Error : OSPF/RIP cannot be enabled on failover interface, I am getting this error while trying to enable RIP on the firewall. The context is single mode and failover is enabled. When I am disabling the failover the Firewall is accepting the RIP configurations.
Today i received FWSM from cisco (RMA), I need to configure it as standby unit for existing FWSM active/standby setup.
IOS on RMAed FWSM is 2.3.4 and cisco VSS supports FWSM IOS 4.0.4 and later.My issue is, I cannot access FWSM (IOS 2.3.4) via session command from cisco 6513 but could successfully consoled it without any problem. I have reloaded it twice and also tried to disable and enable power on it.
VSS#sh module switch 2 Switch Number: 2 Role: Virtual Switch Standby Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 2 6 Firewall Module WS-SVC-FWM-1 -----------
[code]....
why I cannot access FWSM through session command ?Whether this is because of older IOS ? If yes then how to upgrade its IOS ?Is it possible to upgrade IOS via FWSM console ? if yes, Do i need to test on different slot ?
Using a Mac running Mac OS X 10.6.8 with VPN Tracker 6.3.0.Before switching to the WAG320N I had no issues with my IPSEC VPN client. After the switch it consistently fails in Phase 1 negotiation.In the log file of the gateway I only notice: Mon, 2011-08-22 07:47:31 - [Outgoing] UDP Packet - 192.168.1.100:500 --> IP.ADDRESS.VPN.GATEWAY:500.The software itself complains about timeouts while contacting the remote gateway.VPN pass through is enabled, no port forwarding is set up, firewall is disabled.
NCM is going away. It is recommend to move to LMS. We already have a LMS deployment. Currently just used for Monitoring/Performance.Trying to figure out how to get the Configuration change piece that we used NCM for into LMS. Not really having any luck.What I am really wanting to do is configuration archive, device config change notices (when a device config changes I can run report to see who and what was changed), and configuration comparisions (between old and new configs)
Need to understand some features of Cisco Small Business 300 Series Managed Switches. one of this is "Static routing/Layer 3 IP routing between V LAN's allows for communicating across V LAN's without degrading application performance" what is this means can i create V LAN or just V LAN can pass through this kind of switch? how about this features from Cisco Catalyst 2960 Series Switches " The ability to set up virtual LAN's so employees are connected by organizational functions, project teams, or applications rather than on a physical or geographical basis" what is the difference of this features of this different model of switches?
I wish to use a 1921/k9 as a router on a stick. Inside interface interconnects up to 9 VLAN, and performs the routing. Does the 1921/k9 supports trunking and VLANs (I think it should support 16 VLAN, but I am not shure) or I should choose 1921-SEC-k9? Routing performance is the same both on 1921/k9 and 1921-SEC-k9? (I think I'll use static routes or RIP, it is not a large network)
I'm trying to secure my dir-615 and I can get in to the web site but the connection wizard is greyed out and the manual set-up is alos greyed out even though I can select manual set up?
We just replaced a floor swithc, and ended up going with an IOS-XE software, LMS does not seem to like this software, the device is not available in my Identity dashboard, it's abviously running dot1x.
LMS shows it as software version 03.02.01.SG, same as you get when you do a show version, license level is enterprise services.
Actual Image name: cat4500e-universalk9.SPA.03.02.01.SG.150-2.SG1.bin
Also, the IOS upgrade option does not work for this device, it give an error saying to perform an inventory collection, which I have manually performed, the device is reachable and manageable by LMS, and it does not show up in any of the IOS version reports.
I am planning to get the following Hardware;AIR-CT5508-50-K9 5508 Series Controller for up to 50 APs AIR-LAP1262N-E-K9 802.11a/g/n Ctrlr-based AP; Ext Ant; E Reg Domain..During my design, i am considering to get the following security features.I don't have WCS and Mobility Services Engine (MSE). Managing Access Points at remote/WAN office.wIPS configuration (without WCS and MSE)How Rouge APs will be detected and Prevented. Can Automated prevention be implemented.Is wIPS (with WLC 5508) support to detect and prevent Rouge AP.Is Proxy Redirection supported on WLC so that the traffic from Wireless clients will automatically be redirected to Proxy (without adding the proxy in explorers of Wireless Clients).
Device: Cisco ISR 1811 IOS: 15.1(4)M5 Advanced IP Services
I seem to be unable to access any IKEv2 features. The command crypto ikev2 is not available. Everything I've read suggests IKEv2 is available in this IOS version.Is there something I'm missing?
