Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WAN interface protection best practices.

I want to protect WAN interface, i am not sure what technology should I use. ACL or IOS Firewall?

I use WAN interface for:

1. NAT outside

2. IPSEC VTI to branches.

3. EasyVPN for home users.

What is practical difference between ACL and IOS Firewall?

4 REPLIES
Super Bronze

Re: WAN interface protection best practices.

"What is practical difference between ACL and IOS Firewall?"

An IOS firewall is feature richer. For example, one major difference, most "ordinary" ACLs are stateless while firewalls rules often can be stateful. However, reflexive ACLs are stateful too, but they might not cover as many stateful situations as firewall rules.

More information for IOS firewalls can be found here: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Configuration guide for reflexive ACLs: http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfreflx.html

New Member

Re: WAN interface protection best practices.

Thank you.

New Member

Re: WAN interface protection best practices.

And as I understand there are two different IOS firewals:

CBAC and Zone bazed firewall? Correct so what is the difference?

Super Bronze

Re: WAN interface protection best practices.

Zone based is the newer. If I recall correctly, it allows security to be defined relative to "zones" to which an interface or interfaces are attached. CBAC, I think, is defined per interface. There are some feature differences too; CBAC having, I believe, some that zone based don't yet have (although they are on the road map).

269
Views
0
Helpful
4
Replies