Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
29526
Views
9
Helpful
7
Replies

What is the difference? ISR vs ASA?

Go to solution
crowe
Level 1
Level 1

‎02-05-2012 12:32 PM - edited ‎03-11-2019 03:24 PM

Can anyone tell me the technical differences and features between the ASA and ISR Firewall?  I am in a technical sales position and I find it difficult explaining the difference between the two, when pressed.  Especially in a ASA5505/5510 vs 1941/2911 scenario.

If someone could explain the security features ASA's do that ISR's do not that would be helpful also.

  1. Here is what I know already or so I think I know.
  2. The firewall/IPSec performance on an ASA is better than the ISR.
  3. They both run different IOS's
  4. The ASA does not support routing protocols
  5. ASDM is much better suited to analyze traffic, but with third party software the same could be achieved on an ISR.
  6. Routers have multiple interfaces and can perform many different tasks under the ISR umbrella.  WLAN controller, Gateway, Gatekeeer, CUBE etc etc
  7. You can add IPS and CSC modules to an ASA and they will outperform the NME and IOS filtering options for an ISR.
  8. Routers perform equal cost load balancing and ASA's do not, they only have failover as an option.

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to crowe

‎02-06-2012 10:18 AM

From the top of my head:

Botnet traffic Filter

Smart call home

Sepparate trend micro support (Does not rely on ASA performance)

Sepparate IPS support (Does not rely on ASA performance)

Cisco Secure Desktop

Embedded Security policies based on security levels

Availability of Bypass stateful packet inspection for certain traffic

Stateful Failover

Firewall virtualization

Those are the most common ones, but im sure there are plenty more.

Mike Rojas,

Mike

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎02-05-2012 12:53 PM

The ASA is a purpose built security device while the ISR is a router. The primary focus of the ASA is security implementation including stateful inspection of traffic and very sophisticated inspection of traffic passing through the ASA. It has some (limited) ability to do layer 3 routing of packets. The primary focus of the ISP is to do layer 3 routing with some very sophisticated routing algorithms supported and the ability to implement some security screening. It can do some stateful inspection of traffic but does not support the deep inspection of traffic that an ASA could do.

So for example if a customer wants to run BGP to a provider they would want to choose an ISR over an ASA. Or if a customer wants to do some URL filtering they would choose an ASA and not an ISR.

HTH

Rick

HTH

Rick

Go to solution
crowe
Level 1
Level 1
In response to Richard Burts

‎02-05-2012 08:55 PM

Ok.  So aside from what SPI, DPI and routing, is there anything else to add that you can think of? 

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to crowe

‎02-06-2012 08:36 AM

Crowe,

Its hard to compare a Router with an ASA no matter of what platform we talk about, those are totally different platforms. The fact that they run on the same layer, does not mean that they can be compared.

Once is a security solution, which has A LOT of features and the other one is a Router used for Routing over an IP network. I mean, there is too much different features and some few that they shared (IE VPN, Multicast Routing, NAT).

Mike

Mike
0 Helpful

Go to solution
crowe
Level 1
Level 1
In response to Maykol Rojas

‎02-06-2012 10:06 AM

Sorry about that but I should have been more clear.   When it comes to security features, what makes an ASA far more superior than an ISR for security?  What security features does the ASA have, that the ISR does not? 

Thanks!

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to crowe

‎02-06-2012 10:18 AM

From the top of my head:

Botnet traffic Filter

Smart call home

Sepparate trend micro support (Does not rely on ASA performance)

Sepparate IPS support (Does not rely on ASA performance)

Cisco Secure Desktop

Embedded Security policies based on security levels

Availability of Bypass stateful packet inspection for certain traffic

Stateful Failover

Firewall virtualization

Those are the most common ones, but im sure there are plenty more.

Mike Rojas,

Mike
0 Helpful

Go to solution
crowe
Level 1
Level 1
In response to Maykol Rojas

‎02-06-2012 12:11 PM 

Maykol Rojas wrote:
From the top of my head: 
Botnet traffic Filter 
Smart call home 
Sepparate trend micro support (Does not rely on ASA performance)
Sepparate IPS support (Does not rely on ASA performance)
Cisco Secure Desktop 
Embedded Security policies based on security levels 
Availability of Bypass stateful packet inspection for certain traffic 
Stateful Failover 
Firewall virtualization 
Those are the most common ones, but im sure there are plenty more. 
Mike Rojas,

Thanks, I think the security contexts is the line in the sand.

0 Helpful

Go to solution
Alessio Andreoli
Level 5
Level 5
In response to crowe

‎06-21-2018 01:06 AM

I respectfully disagree with you guys. The ISR 4k has some important features in security that the 2900 could only dream of. As usual, everything depends on your design. The 4k could well fit your requirements in terms of security and can't only be considered as a router.

 

Best

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card