Solved

Cisco 1720 Info

Posted on 2004-09-11
7
783 Views
Last Modified: 2010-04-17
I have a couple of cisco 1720 modular access routers.  Do these routers come with a firewall?  I have heard of the 1721 router referred to as a firewall and was just wondering if the 1720 is the same and if not, what the primary differences are between the two.

Also, as far as firewall is concerned regarding these 2 routers, is it an IOS firewall the comes on these routers and is the IOS firewall different from a PIX firewall?  If you know how to configure one, would you know how to configure the other?

How could i check on the routers to see if they have firewall functionality?

Thanks for any clarity on this matter.
0
Comment
Question by:andreacadia
  • 3
  • 2
  • 2
7 Comments
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 250 total points
ID: 12036109
Yes, it is highly configurable, although not quite the 1721..  This page answers most of your questions:

http://www.cisco.com/univercd/cc/td/doc/pcat/1720.htm

Firewall
The 1700 supports an integrated firewall and intrusion detection with Cisco Secure Integrated Software. Cisco Secure Integrated Software (formerly the Cisco IOS Firewall) includes context based access control for dynamic firewall filtering, intrusion detection, denial of service detection and prevention, Java blocking, and real-time alerts. Internal users can access the Internet with secure, per-application-based dynamic access control. Unauthorized, Internet users are prevented from accessing the internal LAN.

Encryption
The Cisco 1720 supports IPSec DES and Triple DES (3DES) encryption, as well as an expansion slot on the motherboard for an optional VPN Module that delivers hardware-based wire-speed encryption. Enables creation of secure VPNs by providing all the components necessary to deliver a VPN solution: integrated VPN tunneling, encryption, firewall and intrusion detection. Optional high-speed hardware-assisted encryption to deliver triple DES encryption at full duplex T1/E1 speeds


FE
0
 

Author Comment

by:andreacadia
ID: 12036160
you said, "not quite the 1721"...what do you mean?

So if i am understanding correctly, the firewall feature of the 1720 and 1721 is simply based on access-lists?   Are these just regular access lists?  And i will assume that the Cisco Secure Integrated Software is different from Cisco PIX?  Hhow can i verify what features are installed on my router?
0
 
LVL 7

Assisted Solution

by:pedrow
pedrow earned 250 total points
ID: 12036337
Don't confuse 'based on access-lists' with packet filtering.

access-lists are used to control all sorts of functions on routers and it's important to know exactly how.

Both of these routers can run firewall feature sets and behave in just about exactly the same way. As near as I can tell, the 1721 is just a newer replacement of the 1720. i.e. they only have one fast E port and two wic slots., but the 1721 presumably a better processor.

If you pay for the fw feature set, you can have the 1720 act as a firewall just as well as a 1721.

You can tell what feature set you have by the name of the image from router>show version
the nomenclature is documented on cco on what each image is.

and just knowing how to configure IOS routers doesn't guarantee that you can do a PIX. Some things are similar/the same, but other aspects are completely different, such as how you deal with routing, NAT, and on older PIX versions, access control.




0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12036482
Well said...  
0
 

Author Comment

by:andreacadia
ID: 12036840
...so the FW feature set utilizes commands that are not inherent to the standard IOS software??  Does it use access-lists or packet filtering? Do you have a sample config with some fw rules configured?

Also , can you purchase the fw feature set for any model cisco router?
0
 
LVL 7

Expert Comment

by:pedrow
ID: 12037372
There are a fair amount of examples on cisco's website, here's one for instance:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml

Pretty much any cisco router supports some flavor of the fw feature set....ok...maybe not that old 1004 you've got laying around, but most others do.

Alternatively, you might find that something like reflexive access-lists might be good enough and that is available on most platforms. Reflexive access-lists are better than regular access-lists in that they provide dynamic inbound permits that get opened when traffic goes outbound. So, for TCP traffic, the permit gets closed when it sees a FIN or RST bit in the header. UDP permits get closed usually based on a timer. It eliminates the need to maintain a 'tcp established' permit, which has its detractors. It still lacks the intelligence you get with FW code to deal with dynamic port stuff like you see with active-mode TCP, but it's pretty darn useful. Here's a link that might explain it more:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c3.html

hope this helps.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12092572
Thanks..

FE
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question