Cisco Advanced Security K9 IOS as packet inspection firewall

Posted on 2008-10-27
Last Modified: 2012-06-21
Hi, I have a 2811 router running the latest K9 IOS. The router terminates a 3mbit MLPPP circuit and acts as a router / NAT device serving a single internal subnet with around 100 users. It also acts as vpn endpoint with a PIX506 at a remote location. What are the security functions of this advanced IOS that I can use? How can I activate packet inspection etc. and use this device as a stateful firewall that detects anomalies within traffic and warns me etc.?
Question by:eggster34
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 11

Expert Comment

ID: 22819733
The 2811 doesn't have enough horsepower to do deep packet inspection for 100 users if they're average web browsers and all online simultaneously. It doesn't have enough RAM to maintain a very big connection table (about 5000 entries I think), and you'll find it becomes a bottleneck when its connection table fills. It's not a bandwidth issue, it's purely connection count. A random port scan from a single outside or inside compromised host can end up knocking you offline.

The Cisco router IOS was never designed for modern intrusion detection and prevention methods, so everything firewall-related is a giant kluge. The PIX as well is an obsolete device that belongs back in the 1900s. You're really much better off getting a  modern firewall, such as a Cisco ASA or Sonicwall NSA-240, rather than trying to make this old stuff go. Unless your time is worth nothing.


Author Comment

ID: 23145627
Thanks for the info, but if I were to make this old device go, what would be the commands / options to activate this function in the device, even though it may cause it to crash?
LVL 11

Expert Comment

ID: 23146324
It takes about 100 lines of IOS code to properly configure a router's firewall features, and those are highly dependnt on your environment. You can fund cisco confit guides at It's extremely complex.

Author Comment

ID: 23206713
Well if you could give me some URLs , I would be happy to award you the points, otherwise the help you have given me so far does not deserve any credit since you did not provide me any real answers :(
LVL 11

Accepted Solution

packetguy earned 500 total points
ID: 23207452
OK, I searched around, but much of the documentation on Cisco's site consists of dead links. I was able to find the following from various sources, which should get you started.

Here's an online book you can read for free with a trial OReilly Safari Books Online subscription:
Cisco Firewall Technologies; Section 2 has a description of Cisco IOS Firewall

Here's a video entiled "Secure Your Router with ACLs" to help you learn Access Control Lists, the core of the IOS Firewall:

Cisco IOS Firewall Overview

Cisco IOS Firewall Q&A

Cisco IOS Firewall Design Guide (lots os sample configs in here that you might mutate)

Granular Protocol Inspection guide

Troubleshooting Cisco IOS Firewall Configurations

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question