This page was exported from Free Cisco Training & Resources - Certification Exam Preparation [ ]
Export date: Sat Jun 25 11:02:27 2022 / +0000 GMT

Summary of Cisco IOS Firewall

IOS Firewall is firewall functionality that is included within specific feature licenses of the Cisco IOS. Cisco IOS is the operating system that most Cisco devices operate. All routers, including the new Integrated Services Routers (ISR) run Cisco IOS.

Cisco IOS has had a form of firewalling included since the very early releases. This was in the form of packet-filtering technology. This was the first generation of firewall technology.

Packet filtering is implemented in Cisco IOS by what Cisco calls access lists. Nearly all Cisco routers in service will have access lists configured, because they are very flexible in their use. For example, you can use an access list to restrict who can connect to your router over both Secure Shell (SSH) and HTTP Secure (HTTPS) for management purposes; you can use an access list to restrict routing updates that are propagated from the router, or received by the router; and of course, you can use them on an interface to permit or deny specific traffic based on the configuration of the access list.

An early improvement on access lists was the addition of the established command. The established command is used in an access list as shown here:

Router(config)# access-list 100 permit tcp any host eq established

This access list permits any TCP connection from anywhere with the destination of as long as it is what is called an established connection. This type of access list is good to place inbound on an external interface to get around the issue of dynamically allowing return traffic to clients. However, because the router is not tracking the state of the firewall, this does not really fall under the term of a stateful firewall. It is merely filtering packets, albeit ones with the ACK bit set in the TCP header.

The first releases of Cisco IOS Firewall implemented a true stateful firewall that ran on a router. This functionality was known as Context-Based Access Control (CBAC).

CBAC is the basis of the IOS Firewall and has now evolved into the IOS Classic Firewall.

The Cisco IOS Firewall is made up of three main features:

These features provide the following benefits:



Post date: 2009-08-28 10:26:34
Post date GMT: 2009-08-28 02:26:34
Post modified date: 2010-07-23 11:38:39
Post modified date GMT: 2010-07-23 03:38:39

Powered by [ Universal Post Manager ] plugin. MS Word saving format developed by gVectors Team