Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1312
Views
0
Helpful
2
Replies

Cisco 2911 ACL/Firewall Question

sappleberry
Level 1
Level 1

‎10-05-2011 01:14 PM - edited ‎03-11-2019 02:34 PM

Hi All,

I recently inherited a Cisco 2911, that appears to have had Firewall rules imported into Externally Defined Rules. ACL's are currently allowing/disallowing traffic. However, there are no firewall rules configured. To meet compliance we need to have Packet Lavel Inspection (Firewalled) rules.

Q1. There are two areas in the router, under ACL area, and under Security. What is the difference between these two Firewall areas?

Q2. Are both areas providing packet level inspection?

Q2. Can I build Firewall rules (within the Security area) to replace the ACL's?

Thanks in advance

Labels:
0 Helpful
2 Replies 2

Maykol Rojas
Cisco Employee
Cisco Employee

‎10-05-2011 09:29 PM

Hi,

It really depends on what your compliance should look like, ACLs only do filtering on layer3/4 basis, firewall does inspection beyond that.

It also depends on the software version you are running and so on... With a little bit more information, we may be able to help you.

Mike

Mike
0 Helpful

sappleberry
Level 1
Level 1
In response to Maykol Rojas

‎10-06-2011 10:32 AM

Version:

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M, RELEASE SOFTWARE (fc2)

ROM: System Bootstrap, Version 15.0(1r)M1, RELEASE SOFTWARE (fc1)

Cisco CISCO2911/K9 (revision 1.0) with 483328K/40960K bytes of memory.

Processor board ID FTX1348A104

4 FastEthernet interfaces

3 Gigabit Ethernet interfaces

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity enabled.

255K bytes of non-volatile configuration memory.

254464K bytes of ATA System CompactFlash 0 (Read/Write)

Compliance is to meet PCI-DSS

I  am very familiar with ASA Firewalls, not so much with this 2911 ISR. If  I understand correctly, ACL rules simply Allow/Disallow traffic,  whereas Firewall inspects packets. I believe the ACL's are performing  traffic filtering. I believe the Firewall should perform the filtering,  however, I'm not sure if I should configure Zone based firewall, or use  the Legacy configuration. Is there a difference between these two types  for Firewall? Or does the Zone based simply provide more options base on  interface configurations? Is Legacy Configuration Firewall simply  referring to ACL rules (no packet inspection)?

I hope this makes sense... I simply cannot find any information the discusses these options.

Thanks,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card