Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Converting traditional ACL lists to IOS firewall

We are in the process of replacing our router due to obsolesence and due to the increased resource load on it over the years. We currently have an older Cisco 3640 router running IOS (C3640-I-M), Version 12.2(3), and use ACL's extensively in an attempt to prevent attacks, intrusions, etc. from entering this network. Currently it has grown to approximately 300 line items in our ACL list, so you can see that a 3640 router will no longer keep up with the traffic. We have recently purchased a Cisco3845-Sec/K9 router with advanced security S384ASK9-12403 IOS firewall package. It is currently running Cisco IOS Software, 3800 Software (C3845-ADVSECURITYK9-M), Version 12.4(3f), RELEASE SOFTWARE (fc3).

My question is if there is an easy way to take my 300 item ACL list from my old 3640 routers and convert it to a new ACL list for the 3845 router? Or should I just start from scratch? Is there any good documentation out there to get me started in the design for the firewall rules, so I can take our old 3640 list and convert it to the 3845 rule list?

2 REPLIES

Re: Converting traditional ACL lists to IOS firewall

Im not aware of acl program convertions for router to router , however, I do not see a reason why you should not be able to copy and paste acls on new platform, you can attempt in cuting over the acls in groups from the old router and start building configuration on the new router.

If you have for example standard acl with 30 lines copy acl from old router in notepad for example and paste 10 lines at a time to observed weather the os takes it fully.

Rgds

Jorge

Re: Converting traditional ACL lists to IOS firewall

hi SCOTT

i agree with jorge

howerver my suggestion is to rethink about ur ACLs redesigne it as lon as now u have IOS firewall feature which include the statefull inspection feature in the ACLs in other woords if u want http to go from in side tooutside only u dont need to make the permit ACL on the outside or the established ACL

because now u can use the CBAC features for statefull inspection and NBAR as well

in addetion to zonebaed features u could divide the IOS firewall to Zones and make it looks and works like a ASA or PIX

i would suggest you to redesign ur ACLs and security as u said u have big amount of ACLs then u need to improve it

use the following links as a guidance:

Context-Based Access Control (CBAC): Introduction and Configuration

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

Three-interface Router without NAT Cisco IOS Firewall Configuration

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a0080094111.shtml

Cisco IOS Classic Firewall/IPS: Configuring Context-Based Access Control (CBAC) for Denial-of-Service Protection

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a00808b7200.shtml

Cisco IOS Firewall

Zone-Based Policy Firewall

Release 12.4(6)T

Technical Discussion

February 2006

http://www.cisco.com/en/US/prod/vpndevc/ps5708/ps5710/ps1018/prod_configuration_example0900aecd804f1776.pdf

Cisco IOS Firewall Classic and Zone-Based Virtual Firewall Application Configuration Example

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a00809492a4.shtml

now after that u can make the right config and design :)

god luck

please, if helpful Rate

555
Views
4
Helpful
2
Replies