Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring Security on a 1721 Router


I am setting up a few 1721 at remote home offices(3-5 users in each office). These would be used for IPSec tunnels to our central office and also provide Internet Access at the same time.

They have 64MB RAM with FW FeatureSet and VPN Hardware Module. Remote sites won't need any access from outside.

My question is regarding setting up ACLs

1. Should i only set CBAC, which would take care of all FTP and TFTP applications and also normal web Traffic ?

Would it effect the router performance, as Router would be running IPSec also ? OR For a User load of only 3-5, it should be okay ?


2. ONly setup CBAC for FTP and TFTP protocols and then use "Reflexive ACLs" to take care of all other TCP and UDP traffic ?

Is it possible to have Basic, Reflexive and CBAC at the same time ?

Which one would be a mopre appropriae solution ? ANy other ideas ?

Thanks \\ Naman


Re: Configuring Security on a 1721 Router

Regarding question # 1:

For 3-5 users there should not be much of issue. My suggestion would be to use CBAC for inspecting all the outbound traffic. But, execute "show proc cpu/mem" so that you can monitor the cpu and mem utilization before and after you apply the CBAC.

Pl. start with inspecting tcp/udp/smtp/ftp for outbound traffic (so that return traffic can come back)

And, don't forget to create an extended access-list on the outside like this :

access-list 101 deny ip any any

Regarding question # 2,

CBAC and reflexive doesn't go together. So, please configure CBAC. For a moderate usage of 3-5 users there should not be much of an issue in terms of performance.

I hope this helps ! Thanks,


New Member

Re: Configuring Security on a 1721 Router

Thanks. This was very helpful.

I do have one final question

1. Is there a way to assciate an ACL with inspection rules ? (e.g. to only inspect traffic going to some specific subnets. Similar to what you can do with reflexive access lists).

I actually have a crypto map applied to the same interface and i don't want to use CBAC inspection for the IPSec traffic going to our Central office (Due to performance reasons ?). Is it possible ?

CreatePlease to create content