RE: [fw-wiz] Cisco 2621 opinions

From: Henry Sieff (
Date: 07/13/02

From: Henry Sieff <>
To: 'joe macdonald' <>,
Date: Sat Jul 13 21:10:02 2002

Joe: I have done this.

They work pretty well, if you just need packet filtering. Using
reflexive access lists, you can get session state for tcp (it just
uses timeouts for udp). If you've worked with ipchains, the biggest
change to remember is that first matching rule applies (not last).

Capacity wise, I have used them on T1's without a problem. Good rule
planning is essential.

Logging is done via syslog (no real time)

As for more advanced features, you can puchase the Firewall Feature
set which gives you actual (basic) content inspection for well known
protocols like http and smtp, and better tools for blocking DDOS and
java, and the ability to set up real time alerting.

The biggest problem I think would be that the 2600 series supports
only telnet (and direct console) connects to the router itself, which
makes remote admin a little sketchy; no ssh, which is a glaring

But for your purposes, that may not matter.

Learning curve would be negligible; not alot of gotchas, and the cisco
web site has lots of documentation (although it can be hard to find.)

Hope that helps; feel free to ask followups.

Henry SIeff

> -----Original Message-----
> From: joe macdonald []
> Sent: Saturday, July 13, 2002 10:20 AM
> To:
> Subject: [fw-wiz] Cisco 2621 opinions
> Hello all,
> I have a rather simple question that I would
> appreciate feedback on.
> I have a network of about 175 computers that I'm
> looking to put behind a Cisco 2621 router and also
> deploy it as a firewall. I'm new to the Cisco world,
> so I'm wondering how well these devices work as a
> router/firewall and how drastic the learning curve
> will be (I have deployed firewalls in the past using
> ipfw, iptables, ipchains on Unix systems). Also, my
> network isn't very big, but is the 2621 a suitable
> choice, or would a higher end model be necessary?
> Would a PIX be able to do this job better? (it's not
> exactly a comlpex routing situation, but is the PIX
> strickly a firewall?)
> Thanks. Any opinions are greatly appreciated.
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Autos - Get free new car price quotes
> _______________________________________________
> firewall-wizards mailing list

Relevant Pages

  • Re: Replaced NT 4 Server with Linux
    ... Maybe later when i will be more confidential with linux. ... Cisco both with the same configuration i'm doing now with your help. ... > off by a second line of defense (the Linux firewall machine you don't ... > router and keeping track of connections, running IDS's, etc - your Cisco ...
  • RE: Auditing Router and Firewall - Checklist and Utils
    ... seems like I missed it and will try out PLA/FWANALOG for PIX log gathering. ... Treat input configuration as a PIX/ASA/FWSM-based Cisco firewall. ... Auditing Router and Firewall - Checklist and Utils ...
  • RE: Auditing Router and Firewall - Checklist and Utils
    ... Treat input configuration as a PIX/ASA/FWSM-based Cisco firewall. ... Auditing Router and Firewall - Checklist and Utils ...
  • Re: HSRP with load balancing on a Cisco IOS based firewall
    ... if you mean by IOS based firewall a router with a firewall/Ipsec ... feature set then in this case you use the common HSRP config or cisco ... Here is a qote from cisco web site: ...
  • RE: Router with security features
    ... Subject: Router with security features ... Most of you seem to opt for the Cisco solution. ... If you want the firewall to work well, ...