8 Replies Latest reply: Sep 11, 2010 11:21 PM by Jon Major CCIE# 47884 RSS

    Cisco ASA 5510 Vs. Cisco IOS Firewall

    Steven Williams

      I guess the question is....what's the difference? I can achieve Firewall functionality, VPN, NAC, IP, and everything an ASA can provide, so why buy the more expensive device?

        • 1. Re: Cisco ASA 5510 Vs. Cisco IOS Firewall
          Scott Morris - CCDE/4xCCIE/2xJNCIE


          Efficiency mostly. Feeding an SE/AM's family is probably a nice thing too, and generally stimulating the economy. Otherwise, we'll all start to blame YOU for the economic downfalls around the world!



          Just kidding.



          Seriously though, it's a matter of splitting up tasks rather than making one single device do everything. Depending on how much traffic you do (or do not) have on your network, you really may not notice any difference at all. In that case, it's not worthwhile to purchase an ASA.



          Expansion, efficiency, other things like the CSC or IPS modules, extra interfaces your router may not have.... It's all options for your network design. If you have a small network, not worth the effort other than what I laid out at the beginning.



          My two cents,









          • 2. Re: Cisco ASA 5510 Vs. Cisco IOS Firewall



            Can IOS do SSL-VPN? Only with Advanced Security



            Regards Conwyn

            • 3. Re: Cisco ASA 5510 Vs. Cisco IOS Firewall
              Paul Stewart  -  CCIE Security


              Some would say that the ASA is designed as a security appliance and is therefore more secure. I'm not sure I agree with that completely, but there are a couple of points to be made. In an ISR in traditional mode (not Zone Based Firewall), a configuration error that can occur is the access list getting deleted. When this happens, it is open from an ACL perspective. With the ASA, if the ACL is deleted, no inbound traffic will pass. So in that regard, maybe one could argue that the ASA protects the administrator from mistakes a little better. I wouldn't take that too far though. Either one can be configured incorrectly, and it is our job to be appropriately cautious in configuration and verification of changes.






              Currently, both devices have quite a few of the same features. Both the IOS and ASA OS have grown substantially enough that bugs could lead to vulnerabilities. On the flip side they both have stronger inspection capabilities than past versions. One advantage that I can see from the ASA is that it may be looked upon quite a bit more favorably by an auditor.









              • 4. Re: Cisco ASA 5510 Vs. Cisco IOS Firewall


                While SDM delivers the code and applies the signature base of the IPS on a router with rather time on the market (like 26xx), do a show cpu command in the cli and voila.... you'll see the difference. 99% usage.



                That's why it sells as a different appliance, it consumes too much of the router resources while it still has to do routing desicions and maybe all the processes that you can make a router do, thus dropping packets more often and slowing the network.



                With the ISR's maybe it's another story, the have way more power than the older ones, so it would no make much difference.



                (Thanks to Jeremy Cioara for this)



                • 5. Re: Cisco ASA 5510 Vs. Cisco IOS Firewall
                  Cisco Jedi

                  I think one of the main things to consider is the complexity of VPN features desired. The ASA's feature set is relatively limited in this respect. If you want to leverage more advanced features like DMVPN or GET VPN, and IOS router is your only option. If you need a boost to VPN performance, you can install one of the AIM-VPN boards and get a significant increase to the number of tunnels and/or SSL session. On an 1841 the datasheet says about 800 tunnels and on a 2800 about 1500 tunnels. More info here:





                  If your looking for IPS, either platform will serve your needs: IOS routers have IPS AIM and IPS NME add on boards, and these will dramatically increase inspection performance over just using the router's resources. I believe the stats show the AIM @ 45mb/s and the NME @ 75mb/s w/ about 3000 signatures. The BIG advantage here, is that VPN traffic can be inspected after decryption. More here:






                  As far as firewall features, practically speaking, w/ the addition of Zone-Based firewalls in IOS 12.4, you aren't really missing anything from the IOS vs the ASA. I will say the ASA typically offers faster performance, but thats usually because the ASA is sort of a 1 trick pony and doing no dynamic routing protocols.


                  SO IN CONCLUSION.


                  If you're looking for an appliance to just do traffic inspection, predominantly for a web DMZ or publicly accessible network, probably the ASA is your best bet. If however you have a highly decentralized -internal- network where branch offices frequently talk to each other [and you could benefit from something like DMVPN], your deployment would be greatly simplified using something like a 2800 running IPSec SSO w/ the AIM-VPN card.


                  The 800's w/ 3G cards typically make for better branch office solutions than an ASA5505. The IPS is nice, and now w/ the incorporation of 3G cards, have better fault tolerance.


                  As a matter of personal preference, I find myself moving away from the philosophy of this specialized device for routing and this specialized device for security. I prefer to simplify my deployments, and believe me w/ NAT, VPNs, Firewall, IPS, having an ASA sitting behind your border router...it can add a significant amount of complexity to your design...and ultimately, your troubleshooting.

                  • 6. Re: Cisco ASA 5510 Vs. Cisco IOS Firewall

                    Role isolation.  I've worked at several companies/groups now that require a dedicated box to demarcate the network.  You have the firewall that it's primary purpose is inspect traffic and enforce access restrictions.  Could you do this with a router? Yes, but you'd be stacking tasks up on a device and as mentioned, typically the CPU cycles become a concern.


                    I've also been explained that the ASA is built more off a switching platform than a router, so you get hardware acceleration.  I'm not familiar enough - I'm sorry to admit - with the internal machinations of the ASA to confirm this - but if it is true - than throughput is certainly a concern.


                    Also - ASAs can pair up, do failover, and can split into contexts.  Can IOS firewall do that?



                    I'm pretty bummed out that ASAs don't do certain things like BGP(even restricted tables), DMVPN, that the 5510s+ don't support EZVPN client mode, VPNs aren't supported in contexts, etc.  But, that is why you still have routers for I suppose.

                    • 7. Re: Cisco ASA 5510 Vs. Cisco IOS Firewall
                      Cisco Jedi

                      Well as I said, if you're dealing w/ just an internal network, and you don't have a DMZ to worry about, then you can probably use IOS Routers. You can minimize the CPU overhead by using Stub areas, router-filtering, and subnet planning that lends to intelligent summarization. In regards to firewall failover, I believe it is possible w/ the IOS Zone-based firewall via HSRP or GLBP. Since its just a zone, you can associate that zone w/ anything [VTIs or loopbacks or vlan ip's]. As far as the classic CBAC style, it still may be possible, albeit weird w/ the ACL portion of the configuration.


                      And you are correct, the ASA is faster at pure traffic inspection, but not as feature rich as the router.


                      But really, on your internal networks, w/ all sites communicating via VPN's, your firewall inspection rules aren't usually that complex. I suspect you can mitigate some of the CPU damage w/ ACL's, thus prevent the traffic from hitting the inspection engine in the first place. [Since ACL's are evaluated before the firewall inspection rules.]

                      • 8. Re: Cisco ASA 5510 Vs. Cisco IOS Firewall
                        Jon Major CCIE# 47884

                        Amazing answers thus far, first of all. To add my two cents on the matter, I've used both IOS Firewall, and the ASA... for me the ASA just makes more sense. The short explanation as to why, the ASA feels secure by design while the IOS Firewall feels more as an afterthought. Not to say once the IOS Firewall is configured it does a "Bad" job, I actually found it to be fantastic. Though with ASA using named interfaces and security zones out of box feels like there is less locking down the ASA and more allowing legitimate traffic through the device, whereas the IOS Firewall feels as though it's in reverse. Once the router is setup, you're then going back to lock it down.