[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco 1720 Info

Posted on 2004-09-11
7
Medium Priority
?
788 Views
Last Modified: 2010-04-17
I have a couple of cisco 1720 modular access routers.  Do these routers come with a firewall?  I have heard of the 1721 router referred to as a firewall and was just wondering if the 1720 is the same and if not, what the primary differences are between the two.

Also, as far as firewall is concerned regarding these 2 routers, is it an IOS firewall the comes on these routers and is the IOS firewall different from a PIX firewall?  If you know how to configure one, would you know how to configure the other?

How could i check on the routers to see if they have firewall functionality?

Thanks for any clarity on this matter.
0
Comment
Question by:andreacadia
  • 3
  • 2
  • 2
7 Comments
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 1000 total points
ID: 12036109
Yes, it is highly configurable, although not quite the 1721..  This page answers most of your questions:

http://www.cisco.com/univercd/cc/td/doc/pcat/1720.htm

Firewall
The 1700 supports an integrated firewall and intrusion detection with Cisco Secure Integrated Software. Cisco Secure Integrated Software (formerly the Cisco IOS Firewall) includes context based access control for dynamic firewall filtering, intrusion detection, denial of service detection and prevention, Java blocking, and real-time alerts. Internal users can access the Internet with secure, per-application-based dynamic access control. Unauthorized, Internet users are prevented from accessing the internal LAN.

Encryption
The Cisco 1720 supports IPSec DES and Triple DES (3DES) encryption, as well as an expansion slot on the motherboard for an optional VPN Module that delivers hardware-based wire-speed encryption. Enables creation of secure VPNs by providing all the components necessary to deliver a VPN solution: integrated VPN tunneling, encryption, firewall and intrusion detection. Optional high-speed hardware-assisted encryption to deliver triple DES encryption at full duplex T1/E1 speeds


FE
0
 

Author Comment

by:andreacadia
ID: 12036160
you said, "not quite the 1721"...what do you mean?

So if i am understanding correctly, the firewall feature of the 1720 and 1721 is simply based on access-lists?   Are these just regular access lists?  And i will assume that the Cisco Secure Integrated Software is different from Cisco PIX?  Hhow can i verify what features are installed on my router?
0
 
LVL 7

Assisted Solution

by:pedrow
pedrow earned 1000 total points
ID: 12036337
Don't confuse 'based on access-lists' with packet filtering.

access-lists are used to control all sorts of functions on routers and it's important to know exactly how.

Both of these routers can run firewall feature sets and behave in just about exactly the same way. As near as I can tell, the 1721 is just a newer replacement of the 1720. i.e. they only have one fast E port and two wic slots., but the 1721 presumably a better processor.

If you pay for the fw feature set, you can have the 1720 act as a firewall just as well as a 1721.

You can tell what feature set you have by the name of the image from router>show version
the nomenclature is documented on cco on what each image is.

and just knowing how to configure IOS routers doesn't guarantee that you can do a PIX. Some things are similar/the same, but other aspects are completely different, such as how you deal with routing, NAT, and on older PIX versions, access control.




0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12036482
Well said...  
0
 

Author Comment

by:andreacadia
ID: 12036840
...so the FW feature set utilizes commands that are not inherent to the standard IOS software??  Does it use access-lists or packet filtering? Do you have a sample config with some fw rules configured?

Also , can you purchase the fw feature set for any model cisco router?
0
 
LVL 7

Expert Comment

by:pedrow
ID: 12037372
There are a fair amount of examples on cisco's website, here's one for instance:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml

Pretty much any cisco router supports some flavor of the fw feature set....ok...maybe not that old 1004 you've got laying around, but most others do.

Alternatively, you might find that something like reflexive access-lists might be good enough and that is available on most platforms. Reflexive access-lists are better than regular access-lists in that they provide dynamic inbound permits that get opened when traffic goes outbound. So, for TCP traffic, the permit gets closed when it sees a FIN or RST bit in the header. UDP permits get closed usually based on a timer. It eliminates the need to maintain a 'tcp established' permit, which has its detractors. It still lacks the intelligence you get with FW code to deal with dynamic port stuff like you see with active-mode TCP, but it's pretty darn useful. Here's a link that might explain it more:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c3.html

hope this helps.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12092572
Thanks..

FE
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question