07-08-2015 12:16 PM - edited 03-11-2019 11:14 PM
Hey guys
Currently we run ASA 5505 but have gotten my hands on a ISR 2951. It's still under support contract so we have it updated to latest IOS.
I am looking to find out what is the better suited firewall.
Currently we use it to nat incoming traffic for web email dns vpn, and block outgoing traffic forcing all clients to use a proxy.
I do want to move away from the proxy approach though so I will be routing all outgoing traffic via this unit as well.
Not going to be using any other features of 2951 like the ISM or CUCM.
My main reasoning for even considering thsi is that the asa5505 has 10/100 port outbound and we are soon to be moving to a 100+ fiber connection so we may have to get rid of it soon anyways.
07-08-2015 12:54 PM
I've never been a fan of the IOS Zone-Based Firewall (ZBFW).
While it works OK, it's a pretty limited feature set and unable to do any of the next gen firewall features that are available on the newer ASAs. Some of the newer ISR G2s can add the UCS-E and run FirePOWER on that, but it's still a limited implementation firewall-wise.
Also, help on the ZBFW is going to be a lot harder to find because in my experience very few customers run them (compared to an ASA). Configuration can be challenging (unless you're very adept with C3PL and love class-maps and policy maps).
I'd consider moving your ASA up to one of the newer models - even the little 5506X now has the FirePOWER module built-in and adding the IPS and URL Filtering licenses to one of those will cover your web proxy (URL filtering) needs as well as next gen IPS capability.
07-08-2015 10:42 PM
hi,
yes, i agree with marvin.
i also never liked ZBF (and CBAC) on ISRs.
why not put the 2951 to connect to WAN/fibre (with media converter to RJ45) and behind is the ASA5505?
07-09-2015 11:32 AM
thank you both - I guess asa is still the way to go then
for outbound protection - do you still recommend using the asa and the filtering or is there another product that better serves the purpose ?
07-09-2015 11:59 AM
The FirePOWER service module (with URL Filtering license) will do a very good job of outbound filtering.
07-09-2015 12:02 PM
Thank you
So IOS on ISR 1941 /ISR 2951 will not have any of these features - even with licensing ?
07-09-2015 01:55 PM
If you add the UCS-E module on an ISR router, you can buy a FirePOWER license for it as well.
In that case, you would still have ZBFW, with FirePOWER layered on via a Unified Threat Detection (UTD) configuration.
See the recent Ask The Expert briefing and ask questions in that thread (through 17 July 2015) for details.
07-10-2015 09:26 AM
Thank you - I will look into it
I appreciate the advice!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide