i have a perimeter router cluster with an asa cluster and another firewall cluster protecting my corporate network
i'm hardening my perimeter at the moment but i was toying with the idea of using the perimeter routers in Classic IOS firewall mode rather than as routers with ACLS
has anyone any views/experience of this
i know i should be well enough protected but i think the classic ios would provide better manageability of the routers as config would be replicated across an IOs cluster rather than having to configre 2 hsrp routers
thanks to anyone taking the time to read or reply to this
Classical Firewall (CBAC) is still better than ACLs. However most new features/inspections will be released for the Zone-based Firewall only. As per Cisco: "Cisco IOS Software Classic Firewall will continue to be
maintained for the foreseeable future, but will not be significantly enhanced with new features."
Have a look at this document for a comparison and hardware support:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...