cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
299
Views
0
Helpful
0
Replies
Highlighted
Beginner

Ability to do Classic IOS/CBAC firewall on 3945

Hey,

 

We are looking at upgrading form cisco 3845s to 3945s as the 3945 is still in support for the duration that we need to keep it around.

 

One reason for going with the 3945 vs something like an ISR or ISR is ease of migrating the configs. 

 

We have a number of ACLs and inspection statements (including reflexive ACLs) that are in place on the 3845 right now using the classic IOS/CBAC syntax as opposed to zone based FW.

 

I'm finding some conflicting information on the 3945s and would like to validate that the current ACL/inspect statements in the CBAC syntax will transfer over to the 3945s on a supported code release.

 

Right now, we have ACLs on the 3845s that use the classic CBAC syntax as shown below

 

ip access-list extended inlist
deny ip x.x.x.x 0.0.0.255 any log-input
deny ip x.x.x.x 0.0.0.255 any log-input
deny ip x.x.x.x 0.0.0.255 any log-input
permit icmp any any
permit udp any eq domain any gt 1023
...
evaluate tmplist
deny ip any any log-input

ip access-list extended outlist
deny ip x.x.x.x 0.0.0.255 any log-input
deny ip x.x.x.x 0.0.0.255 any log-input
deny ip x.x.x.x 0.0.0.255 any log-input
permit icmp any any
permit udp any eq domain any gt 1023
permit udp any any eq domain
permit tcp any x.x.x.x 0.0.0.255 eq domain
...
permit tcp x.x.x.x 0.0.0.255 any reflect tmplist
deny ip any any log-input

 

and inspection policies that look like this

 

ip inspect alert-off
ip inspect max-incomplete high 1000
ip inspect max-incomplete low 1000
ip inspect name PUBLIC_OUT fragment maximum 256 timeout 5
ip inspect name PUBLIC_OUT ftp
ip inspect name PUBLIC_OUT icmp
ip inspect name PUBLIC_OUT smtp
ip inspect name PUBLIC_OUT tcp
ip inspect name PUBLIC_OUT udp

 

And then those policies are applied to their respective interfaces.

 

Will the 3945 with a supported code release, and/or the latest code release, allow the above CBAC syntax to transfer over from our 3845s? It was my understanding that new newer ISR and ASR series routers only supported the zone based firewall, and in the interest in ease of portability and given that we only need these devices around for a year or two, I wanted to instead purchase 3945s as they are adequately spec'd for our circuits and my hope was to be able to transfer over the CBAC/inspection config exactly as it is now.

 

However, I can't fully understand if supported code releases on the 3945 support this older CBAC style or if it's all ZBFW now.

 

Thanks for the help!

 

 

Everyone's tags (3)
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards