Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
864
Views
0
Helpful
4
Replies

cisco 2921 router

ayosizzle
Level 1
Level 1

‎10-11-2011 05:09 AM - edited ‎03-07-2019 02:43 AM

would a firewall be required at a branch office if the 2921 router is deployed or can this cisco router function as a firewall?

Labels:
0 Helpful
4 Replies 4

Ven Taylor
Level 4
Level 4

‎10-11-2011 05:48 AM

A router, depending on it's IOS, can be configured with access-lists to act like a firewall or configured as a Zone Based Policy Firewall.

Here are a couple links to get you started:

CBAC: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

ZBPF:

http://www.cisco.com/en/US/customer/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

I had a Pix 501, but changed it an 1811 at home and it's just got NAT and ACL configured.  No real firewall necessary for me.  I can still VPN in from work and access my network.

Hope this helps!

Ven

Ven Taylor
0 Helpful

ayosizzle
Level 1
Level 1
In response to Ven Taylor

‎10-11-2011 06:05 AM

Thank you so much for your response. Gathering from what you said, and thinking about it properly now, a properly configured access list can enable a rtr to block unwanted packets and perform intrusion prevention and detection from unwanted sources. But if a router can do this why go thru the hassle of buying a firewall an ASA is quite expensive.

0 Helpful

Ven Taylor
Level 4
Level 4
In response to ayosizzle

‎10-11-2011 06:19 AM

True, but the difference is that an ACL is stateless.  A firewall is stateful.

That means the acl sees every packet as a new one and doesn't care about the packets that came before it or the packets that come after it.  Firewalls can see the entire conversation.

Access-lists have been around a lot longer than firewalls, so people have gotten pretty creative with them.

Zone based and reflexive access lists are an example.

Here's a link to a conversation elsewhere on these forums:

https://supportforums.cisco.com/thread/137697

I think Rick said it best.

For more in-depth understanding, just google "firewall vs. ACL".  There are so many links that you could read for hours.

All that said, I think an ACL will suffice for a simple network, but as you add complexity and require more flexibility, you'll find that a firewall is the easier choice.  Router ACL's can get quite convoluted as they increase in complexity.

Ven

Ven Taylor
0 Helpful

ayosizzle
Level 1
Level 1
In response to Ven Taylor

‎10-11-2011 08:03 AM

thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card