Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12480
Views
0
Helpful
3
Replies

Cisco ASA vs router firewall feature

Go to solution
resurector
Level 1
Level 1

‎02-14-2011 05:07 AM - edited ‎03-06-2019 03:31 PM

Hi,

I cannot find the differences betwen functionalities of Cisco ASA firewall and IOS firewall featureset available for routers (starting from 12.4.x) .

Performance and price of both options are available.

Can anyone suggest where to find comparison between functionalities of firewall appliance and router IOS firewall featureset (CBAC, deep packet inspection, VPN, NAT...)?

Thanks in advance

Regards

Ivica

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to resurector

‎02-14-2011 06:05 AM

Hi

Please find the below major feature differences.

1) High Throughput. The 2811 will max out at 60Mbps. Fine for just Internet, but will be a choking point if you're trying to do backups through it. An ASA5510 can do 350+.

2) Complex ACLs. The ASA lets you group IP address and ports in to groups, and move rules up/down "on the fly" through. If you might have a firewall rule over 50 lines long, this is something to think about.

3) Advanced VPN capabilities, such as a network SSL VPN client (Cisco calls theirs "AnyConnect", and it's only available on the ASA). The Routers only support the older IPSec client.

4) Easy High Availability. The ASA lets you configure devices in pairs, so that even if one ASA loses power or connectivity the other will take over automatically. This can be done with Routers using HSRP or VRRP, but is a lot more complicated to setup and manage.


In summary, a 2811 router alone will work fine as a Firewall and VPN device for a small/medium business. But there are certain cases where you'd need a separate Firewall

Hope this clear you..

Please rate the helpfull posts.
Regards,
Naidu.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni

‎02-14-2011 05:27 AM

Hi Ivica,


The IOS firewall is a feature set added on top of the router OS. The PIX's OS was designed ground up as a firewall and nothing else. It runs Finesse OS, not IOS.

I prefer to let a router do what it does best - route, and let a firewall do what it does best. Since you will still need a router to connect to the Internet, using TWO best of breed products, you can't go wrong.

The way we recommend setting up any Internet-based VPN:

Internet<-->screening router<-->PIX<-->LAN

Although the 1841 can do it all, And if budget is your main concern, go with the 1841 because it can be a router and firewall and VPN combo, and the PIX is Firewall/VPN only. It cannot have a serial/isdn/t1 interface to route to the Internet.

If you have a broadband connection at the remote office, no question- PIX.


And some would say that the ASA is designed as a security appliance and is therefore more secure. I'm not sure I agree with that completely, but there are a couple of points to be made. In an ISR in traditional mode (not Zone Based Firewall), a configuration error that can occur is the access list getting deleted. When this happens, it is open from an ACL perspective. With the ASA, if the ACL is deleted, no inbound traffic will pass. So in that regard, maybe one could argue that the ASA protects the administrator from mistakes a little better. I wouldn't take that too far though. Either one can be configured incorrectly, and it is our job to be appropriately cautious in configuration and verification of changes.


Please see the below link for complete information.
https://learningnetwork.cisco.com/thread/4995

Hope this clear you.

Please rate the helpfull posts.

Regards,
Naidu.

0 Helpful

Go to solution
resurector
Level 1
Level 1
In response to Latchum Naidu

‎02-14-2011 05:41 AM

Thanks for you thorough reply, however I am aware of all the facts you menti

oned.

I need to know just one thing: what exact features implemented in ASA are supported and which are not in IOS with firewall.

Simple comparison.

Thanks

Regards

Ivica

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to resurector

‎02-14-2011 06:05 AM

Hi

Please find the below major feature differences.

1) High Throughput. The 2811 will max out at 60Mbps. Fine for just Internet, but will be a choking point if you're trying to do backups through it. An ASA5510 can do 350+.

2) Complex ACLs. The ASA lets you group IP address and ports in to groups, and move rules up/down "on the fly" through. If you might have a firewall rule over 50 lines long, this is something to think about.

3) Advanced VPN capabilities, such as a network SSL VPN client (Cisco calls theirs "AnyConnect", and it's only available on the ASA). The Routers only support the older IPSec client.

4) Easy High Availability. The ASA lets you configure devices in pairs, so that even if one ASA loses power or connectivity the other will take over automatically. This can be done with Routers using HSRP or VRRP, but is a lot more complicated to setup and manage.


In summary, a 2811 router alone will work fine as a Firewall and VPN device for a small/medium business. But there are certain cases where you'd need a separate Firewall

Hope this clear you..

Please rate the helpfull posts.
Regards,
Naidu.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card