10-05-2011 01:14 PM - edited 03-11-2019 02:34 PM
Hi All,
I recently inherited a Cisco 2911, that appears to have had Firewall rules imported into Externally Defined Rules. ACL's are currently allowing/disallowing traffic. However, there are no firewall rules configured. To meet compliance we need to have Packet Lavel Inspection (Firewalled) rules.
Q1. There are two areas in the router, under ACL area, and under Security. What is the difference between these two Firewall areas?
Q2. Are both areas providing packet level inspection?
Q2. Can I build Firewall rules (within the Security area) to replace the ACL's?
Thanks in advance
10-05-2011 09:29 PM
Hi,
It really depends on what your compliance should look like, ACLs only do filtering on layer3/4 basis, firewall does inspection beyond that.
It also depends on the software version you are running and so on... With a little bit more information, we may be able to help you.
Mike
10-06-2011 10:32 AM
Version:
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M, RELEASE SOFTWARE (fc2)
ROM: System Bootstrap, Version 15.0(1r)M1, RELEASE SOFTWARE (fc1)
Cisco CISCO2911/K9 (revision 1.0) with 483328K/40960K bytes of memory.
Processor board ID FTX1348A104
4 FastEthernet interfaces
3 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
254464K bytes of ATA System CompactFlash 0 (Read/Write)
Compliance is to meet PCI-DSS
I am very familiar with ASA Firewalls, not so much with this 2911 ISR. If I understand correctly, ACL rules simply Allow/Disallow traffic, whereas Firewall inspects packets. I believe the ACL's are performing traffic filtering. I believe the Firewall should perform the filtering, however, I'm not sure if I should configure Zone based firewall, or use the Legacy configuration. Is there a difference between these two types for Firewall? Or does the Zone based simply provide more options base on interface configurations? Is Legacy Configuration Firewall simply referring to ACL rules (no packet inspection)?
I hope this makes sense... I simply cannot find any information the discusses these options.
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide