Re: Cisco IOS Firewall

haithamnofal · ‎07-04-2007

Hi,

I am wondering whether ISR or any other routers with IP base IOS (i.e. not with Security Bundles), support CBAC ACL or stateful Firewalling? Or is it a must to go for the Security bundles in order to implement stateful firewalling in my router?

Regards,

Haitham

Jon Marshall · ‎07-04-2007

Hi Haitham

Unfortunately no, AFAIK the IP base version does not support CBAC. The best palce to check all the IOS versions for all routers is with Cisco's "Feature Navigator".

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

HTH

Jon

haithamnofal · ‎07-04-2007

Thanks Jon.. So, just to confirm the ACL available in IP Base IOS versions is just normal ACL which doesn't maintain the state of the connections. Please correct me if I am wrong.

Regards,

Haitham

Jon Marshall · ‎07-04-2007

Haitham

Yes the acl in IP base will be normal acl. The way to tell is from config mode on the router

router(conf t)# ip inspect ?

If it says unknown command then you don't have CBAC.

There is of course the "established" keyword you can use with acl's which gives a semblance of connection state but it is far from a stateful firewall.

HTH

Jon

johnd2310 · ‎07-04-2007

Hi Haitham,

You could also look at reflexive access lists.

Thanks

John

**Please rate posts you find helpful**