Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-Lists on Router v/s FW IOS

Hi there,

I am evaluating a cost effective solution for a firewall to a DMZ with no access to the internal network.

We have a couple of 2600 routers with 16 MB of RAM and flash respectively.

Now I can either use these routers (in an HSRP with load balancing configuration) and purchase the FW-IOS with more memory or install an Open BSD box and set it up as a firewall.

Personally I am all for the FW-IOS option.

However considering the high resource requirements of the IOS firewall and the inherent limitations of the IOS firewall vis a vis a regular application firewall, would I be better off just simply putting in access-lists and forget about investing in the FW-IOS.

In short is an IOS firewall worth the investment.



New Member

Re: Access-Lists on Router v/s FW IOS

Hi CP,

Without IOS FW enable, the rules for access list will be deny some traffic and permit ip any any at the end of list.

With IOS FW enable, it will be totally different, you will permit specific traffic that you want to allow and have deny ip any any at the end of the list.

As you can see, with IOS firewall enable, you can secure your network before someone attack your network. Not like regular ACL, you block the traffic after you found out the source which attacked your network.

Therefore, IOS firewall is totally worth the investment.



ovt Bronze

Re: Access-Lists on Router v/s FW IOS



the question was about firewall that secures access from the outside to the dmz _with_ _no_ _access_ _to_ _the_ _inside_. So, the ACL would be "permit http, deny any" or like that anyway.

Actually, when protecting www (or other server), in addition to regular ACLs IOS firewall can:

- struggle SYN flood attacks (very poorly implemented and enterprise IOS also has this functionality);

- do inline IDS (very limited even in 12.2(15)T)

- restrict SMTP command set;

- allow passive ftp from the outside to the inside (yes, this is useful);

- that's it.

Oleg Tipisov,



CreatePlease to create content