Showing results for 
Search instead for 
Did you mean: 

Cisco IOS 891 router or ASA 5505

I consult for a small physicians clinic with 3 servers, 20 PCs and 2 WANs (DSL and a T1). I need to upgrade the routers and am considering one new device to route traffic for all since we have had both hardware failures and a lot of new hacking attempts on our network.

My requirements are:

* good firewall out of the box

* 2 IPSEC VPN tunnels

* up to 10 simultaneous L2TP VPN tunnels

* 2 WAN ethernet ports (1 for SIP on a T1, 1 for DSL connection)

* failover from DSL to T1 but must use QOS or limit bandwidth use so it doesn't kill my VOIP traffic on the T1 (dsl failed 4 times this year)

Nice to haves:

* VPN in hardware

* Antivirus/Antispam

* a few power over ethernet ports

* Gbit switching

I have been told by a cisco consultant that the ASA is designed for firewall and thus provides better protection than the IOS 891. However, in researching online I found an article that says the 891 is the better choice ( see: due to features like:

* Gbit metro ethernet support

* zone based firewall support (I am a newbie at designing firewall rules and want to stay that way so if it is a real pain to implement then forget it)
* DMVPN (not even sure that this is important)

key question. Given that I will not do an enormous amount of special configuration on the box am I much safer with the ASA? If not sounds like the IOS 891 is a better bet.


Marwan ALshawi

According to your to your requirements above cisco iOS router will give more flexibility, better interns of routing and load sharing across your wan links if you want, software fire walling, gre tunneling mixed with IPSec, dmvpn

If you want to add additional security layer later just add a firewall behind thevrouter in the future


If helpful rate

Leo Laohoo
VIP Community Legend

I have a fleet of 891W and I can assure you that there is but one GigabitEthernet WAN port.  The rest of the 8 ports are FastEthernet.

ASA doesn't have PoE.  891 has a 4-port PoE as an optional accessory.

One question I'd like to ask is what speed is your DSL and T1? The reason why I'm asking is because the 890 can push up to 51.20 Mbps HALF duplex and UN-ENCRYPTED traffic.  So if your DSL and/or T1 line is higher than this you'll need to consider a different router.

Unless you are getting the high-end ASA, antivirus/anti-spam isn't supported on the 890W.

I'm not sure how strong QoS on the ASA.

I agree with previous post, I'd rather get a router and an ASA as a two separate appliance.  I'm not a big fan of a two-in-one-box.