andreacadia
asked on
Cisco 1720 Info
I have a couple of cisco 1720 modular access routers. Do these routers come with a firewall? I have heard of the 1721 router referred to as a firewall and was just wondering if the 1720 is the same and if not, what the primary differences are between the two.
Also, as far as firewall is concerned regarding these 2 routers, is it an IOS firewall the comes on these routers and is the IOS firewall different from a PIX firewall? If you know how to configure one, would you know how to configure the other?
How could i check on the routers to see if they have firewall functionality?
Thanks for any clarity on this matter.
Also, as far as firewall is concerned regarding these 2 routers, is it an IOS firewall the comes on these routers and is the IOS firewall different from a PIX firewall? If you know how to configure one, would you know how to configure the other?
How could i check on the routers to see if they have firewall functionality?
Thanks for any clarity on this matter.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Well said...
ASKER
...so the FW feature set utilizes commands that are not inherent to the standard IOS software?? Does it use access-lists or packet filtering? Do you have a sample config with some fw rules configured?
Also , can you purchase the fw feature set for any model cisco router?
Also , can you purchase the fw feature set for any model cisco router?
There are a fair amount of examples on cisco's website, here's one for instance:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml
Pretty much any cisco router supports some flavor of the fw feature set....ok...maybe not that old 1004 you've got laying around, but most others do.
Alternatively, you might find that something like reflexive access-lists might be good enough and that is available on most platforms. Reflexive access-lists are better than regular access-lists in that they provide dynamic inbound permits that get opened when traffic goes outbound. So, for TCP traffic, the permit gets closed when it sees a FIN or RST bit in the header. UDP permits get closed usually based on a timer. It eliminates the need to maintain a 'tcp established' permit, which has its detractors. It still lacks the intelligence you get with FW code to deal with dynamic port stuff like you see with active-mode TCP, but it's pretty darn useful. Here's a link that might explain it more:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c3.html
hope this helps.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml
Pretty much any cisco router supports some flavor of the fw feature set....ok...maybe not that old 1004 you've got laying around, but most others do.
Alternatively, you might find that something like reflexive access-lists might be good enough and that is available on most platforms. Reflexive access-lists are better than regular access-lists in that they provide dynamic inbound permits that get opened when traffic goes outbound. So, for TCP traffic, the permit gets closed when it sees a FIN or RST bit in the header. UDP permits get closed usually based on a timer. It eliminates the need to maintain a 'tcp established' permit, which has its detractors. It still lacks the intelligence you get with FW code to deal with dynamic port stuff like you see with active-mode TCP, but it's pretty darn useful. Here's a link that might explain it more:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c3.html
hope this helps.
Thanks..
FE
FE
ASKER
So if i am understanding correctly, the firewall feature of the 1720 and 1721 is simply based on access-lists? Are these just regular access lists? And i will assume that the Cisco Secure Integrated Software is different from Cisco PIX? Hhow can i verify what features are installed on my router?