Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
403
Views
0
Helpful
7
Replies

ASA5505 vs IOS on 2951

Mark S.
Level 1
Level 1

‎07-08-2015 12:16 PM - edited ‎03-11-2019 11:14 PM

Hey guys 

Currently we run ASA 5505 but have gotten my hands on a ISR 2951. It's still under support contract so we have it updated to latest IOS. 

 

I am looking to find out what is the better suited firewall.

 

Currently we use it to nat incoming traffic for web email dns vpn, and block outgoing traffic forcing all clients to use a proxy.

I do want to move away from the proxy approach though so I will be routing all outgoing traffic via this unit as well.

 

Not going to be using any other features of 2951 like the ISM or CUCM.

My main reasoning for even considering thsi is that the asa5505 has 10/100 port outbound and we are soon to be moving to a 100+ fiber connection so we may have to get rid of it soon anyways.

 

Labels:
0 Helpful
7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-08-2015 12:54 PM

I've never been a fan of the IOS Zone-Based Firewall (ZBFW).

While it works OK, it's a pretty limited feature set and unable to do any of the next gen firewall features that are available on the newer ASAs. Some of the newer ISR G2s can add the UCS-E and run FirePOWER on that, but it's still a limited implementation firewall-wise.

Also, help on the ZBFW is going to be a lot harder to find because in my experience very few customers run them (compared to an ASA). Configuration can be challenging (unless you're very adept with C3PL and love class-maps and policy maps).

I'd consider moving your ASA up to one of the newer models - even the little 5506X now has the FirePOWER module built-in and adding the IPS and URL Filtering licenses to one of those will cover your web proxy (URL filtering) needs as well as next gen IPS capability.

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to Marvin Rhoads

‎07-08-2015 10:42 PM

hi,

yes, i agree with marvin.

i also never liked ZBF (and CBAC) on ISRs.

why not put the 2951 to connect to WAN/fibre (with media converter to RJ45) and behind is the ASA5505?

0 Helpful

Mark S.
Level 1
Level 1
In response to johnlloyd_13

‎07-09-2015 11:32 AM

thank you both - I guess asa is still the way to go then

for outbound protection - do you still recommend using the asa and the filtering or is there another product that better serves the purpose ?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mark S.

‎07-09-2015 11:59 AM

The FirePOWER service module (with URL Filtering license) will do a very good job of outbound filtering.

0 Helpful

Mark S.
Level 1
Level 1
In response to Marvin Rhoads

‎07-09-2015 12:02 PM

Thank you 

 

So IOS on ISR 1941 /ISR 2951 will not have any of these features - even with licensing ?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mark S.

‎07-09-2015 01:55 PM

If you add the UCS-E module on an ISR router, you can buy a FirePOWER license for it as well.

In that case, you would still have ZBFW, with FirePOWER layered on via a Unified Threat Detection (UTD) configuration.

See the recent Ask The Expert briefing and ask questions in that thread (through 17 July 2015) for details.

0 Helpful

Mark S.
Level 1
Level 1
In response to Marvin Rhoads

‎07-10-2015 09:26 AM

Thank you -  I will look into it

 

I appreciate the advice!

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card