cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Firewalls

112
Views
6
Helpful
2
Replies
Beginner

ASA-5545-X vs ISR 4451 Firewall

Hi,

I'm designing a mid-size network for about 100 users on two high latency links (Cell/SAT). 

First I looked at having a ISR 4221 router with a ASA 5545-X Firewall to let the router handle the routing etc. and the firewall to do the DPI, AVC, IPS etc. 

 

But after my understanding the ISR routers supports all of the DPI, AVC, IPS/NGIPS, Layer 7 QoS etc. the ASA would normally do. So is it any reason why I should keep the ASA 5545-X firewall and not just go for a more beefy ISR router like the 4451 with SEC license?

The bandwidth is about 400-500 Mb/s.

 

Thanks,

2 REPLIES
Highlighted
VIP Collaborator

Re: ASA-5545-X vs ISR 4451 Firewall

Personally I prefer to have FW as it own identity in thet netwok. ISR Router yes this is for branch where small user base.

 

your requirement you need router and FW.

 

BB
*** Rate All Helpful Responses ***
Hall of Fame Master

Re: ASA-5545-X vs ISR 4451 Firewall

To get a more comparable solution using ISR series routes, you would have to add something like Firepower Threat defense for ISR:

 

https://www.cisco.com/c/en/us/products/collateral/security/router-security/datasheet-c78-735410.html

 

For that you need to add the UCS module. So the cost of the module plus license may make the difference between using a second appliance (ASA running FTD or such) less.

 

The protection capabilities between the two options are comparable. However you are getting into a MUCH less deployed option with FTD for ISR. You are also then tying your security to your router and possibly closing off other options. for instance, what if you wanted to adopt the SD-WAN for ISR solution (i.e. the Viptela technology)? Is that compatible with also running the other security services?

 

Also, if you are considering just relying on IOS Zone-Based Firewall (ZBFW) I would not recommend that option. You'd be using 10+ year old technology to attempt to protect against modern threats.

 

 

CreatePlease to create content
Content for Community-Ad

Blog-Cisco Community Designated VIP Class of 2019