Cisco 1720 Info

I have a couple of cisco 1720 modular access routers.  Do these routers come with a firewall?  I have heard of the 1721 router referred to as a firewall and was just wondering if the 1720 is the same and if not, what the primary differences are between the two.

Also, as far as firewall is concerned regarding these 2 routers, is it an IOS firewall the comes on these routers and is the IOS firewall different from a PIX firewall?  If you know how to configure one, would you know how to configure the other?

How could i check on the routers to see if they have firewall functionality?

Thanks for any clarity on this matter.
Who is Participating?
Fatal_ExceptionSystems EngineerCommented:
Yes, it is highly configurable, although not quite the 1721..  This page answers most of your questions:

The 1700 supports an integrated firewall and intrusion detection with Cisco Secure Integrated Software. Cisco Secure Integrated Software (formerly the Cisco IOS Firewall) includes context based access control for dynamic firewall filtering, intrusion detection, denial of service detection and prevention, Java blocking, and real-time alerts. Internal users can access the Internet with secure, per-application-based dynamic access control. Unauthorized, Internet users are prevented from accessing the internal LAN.

The Cisco 1720 supports IPSec DES and Triple DES (3DES) encryption, as well as an expansion slot on the motherboard for an optional VPN Module that delivers hardware-based wire-speed encryption. Enables creation of secure VPNs by providing all the components necessary to deliver a VPN solution: integrated VPN tunneling, encryption, firewall and intrusion detection. Optional high-speed hardware-assisted encryption to deliver triple DES encryption at full duplex T1/E1 speeds

andreacadiaAuthor Commented:
you said, "not quite the 1721"...what do you mean?

So if i am understanding correctly, the firewall feature of the 1720 and 1721 is simply based on access-lists?   Are these just regular access lists?  And i will assume that the Cisco Secure Integrated Software is different from Cisco PIX?  Hhow can i verify what features are installed on my router?
Don't confuse 'based on access-lists' with packet filtering.

access-lists are used to control all sorts of functions on routers and it's important to know exactly how.

Both of these routers can run firewall feature sets and behave in just about exactly the same way. As near as I can tell, the 1721 is just a newer replacement of the 1720. i.e. they only have one fast E port and two wic slots., but the 1721 presumably a better processor.

If you pay for the fw feature set, you can have the 1720 act as a firewall just as well as a 1721.

You can tell what feature set you have by the name of the image from router>show version
the nomenclature is documented on cco on what each image is.

and just knowing how to configure IOS routers doesn't guarantee that you can do a PIX. Some things are similar/the same, but other aspects are completely different, such as how you deal with routing, NAT, and on older PIX versions, access control.

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Fatal_ExceptionSystems EngineerCommented:
Well said...  
andreacadiaAuthor Commented: the FW feature set utilizes commands that are not inherent to the standard IOS software??  Does it use access-lists or packet filtering? Do you have a sample config with some fw rules configured?

Also , can you purchase the fw feature set for any model cisco router?
There are a fair amount of examples on cisco's website, here's one for instance:

Pretty much any cisco router supports some flavor of the fw feature set....ok...maybe not that old 1004 you've got laying around, but most others do.

Alternatively, you might find that something like reflexive access-lists might be good enough and that is available on most platforms. Reflexive access-lists are better than regular access-lists in that they provide dynamic inbound permits that get opened when traffic goes outbound. So, for TCP traffic, the permit gets closed when it sees a FIN or RST bit in the header. UDP permits get closed usually based on a timer. It eliminates the need to maintain a 'tcp established' permit, which has its detractors. It still lacks the intelligence you get with FW code to deal with dynamic port stuff like you see with active-mode TCP, but it's pretty darn useful. Here's a link that might explain it more:

hope this helps.
Fatal_ExceptionSystems EngineerCommented:

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.