Our company planning to delploy a corporate network with Cisco 3660 and PIX 515 in center. What we can lose, if order Cisco IOS for 3660 without FW options? I hear "standart" IP IOS already have some facilities for filtering? What addition features (over IP only IOS ) provide FW IOS options.
FW IOS is completely different that the standard IP IOS security features. With a state-full FW you can setup your router to accept only traffic from the Internet if the session has been initiated from the inside network. The router keeps track of a session and only valid traffic will be passed on. The router not only looks at the layer 3/4 information, but it will also use layer 7 information if required (FTP, H323,Realaudio, etc. I haven't even mentioned the (limited) Intrusion Detection System included in the software.
To be short, the Cisco IOS FW goes far beyond the traditionally ACL and is stronly recommended to use as a minimum level of network security (pix would be better).
The PIX will protect anything behind it. So if your router is outside, the PIX cant protect it. Basic IP is fine even in this application though. For greater security on the outside router, dont allow telnet access to the serial interface and number your DMZ (between the PIX and the router) 10-dot addresses (rfc1918). Of course youll have to put static routes in the router pointing back at the PIX for the NATd networks.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...