FWSM v ASA

Unanswered Question
Jan 8th, 2008
User Badges:

folks


i have a data centre which needs a firewall in front of it and i'm being told to use a fwsm since there is a 6500 in place


my problem is i don't manage the switch and i prefer the idea of physical separation


i also have no experience of dealing with the fwsm - is it exactly the same as the asa and has it the same full functionality


also does it use the 6500 switch for inbound and outbound ports?


thanks to anyone taking the time to reply

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
JORGE RODRIGUEZ Tue, 01/08/2008 - 14:36
User Badges:
  • Green, 3000 points or more

It all depends, I have been in large organizations where they had FWSM in a redundant architecture using dual 6509 core with FWSM modules in each in their server switch block farm servicing 300+ servers but separated from the users switch block, FWSM configuration initially may differ from that of PIX and ASA depending how it is been deployed if Routed , transparent or context modes , but once that initial FWSM deployment is established the syntax and functionality is the same as the ASA firewalls , same principle in deploying FWSM in standalone or active/failover or active/active etc.. all same principle I personally like to idea of separation as well for administration, I have deal with PIX and recently started with ASA, but FWSM I must say my comment is based on reading. A book recently obtained few months ago from Ciscopress presented the three platforms covering syntax CLI for PIX ASA and FWSM to reveal that almost %95 of CLI is the same, of course depending on what code version they run into few changes in some commands as it may varied from code to code and some commands deprecated but I believe if you have worked with PIX, you can deal with ASA and FWSM and the other way around.



Here are some of most common Q&A on FWSM

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_qanda_item09186a00801e9e26.shtml


ASA solutions

http://www.cisco.com/en/US/products/ps6120/prod_brochure_list.html




Rgds

Jorge


cisco24x7 Tue, 01/08/2008 - 16:10
User Badges:
  • Silver, 250 points or more

Here is my take on this:


We also have a data center where we

house about 700+ servers, Solaris, Linux,

Windows, etc... We also do not manage these

switches ourselves.


If you have simple rulebases, then it probably

makes sense to go with ASA or FWSM. However,

in our situation, we have very complex rulebase, about 900+ rules in the firewalls,

with lot of hosts/network group objects and

service group objects. Doing this with either ASA or FWSM is not a desirable solution.

Furthermore, if you decide to use FWSM, please

be aware of the limitations regarding the

number of lines you can have in the configuration, <64K lines or something in

single context and <128K in multiple context.

When you talk about complex rulebases with

multiple object-groups, those lines can

multiply in a hurry. I think same thing

apply to Pix/ASA. The other thing you have

to consider is support. When you've

complex rulebase with complex NAT, you

increase the possibility of an outtage.


Anyway, in our situation, we decided to use

Checkpoint NGx R65 firewalls on

Secureplatforms, managing via Checkpoint

Provider-1 centralize management. We

configure checkpoint to run Active/Active/Active mode, cluster mode.

Yes, checkpoint is expensive but managing

the rulebase is very simple.


Those are the things you must consider

in deploying firewalls at your data center:


1- Easy to configure, Cisco

2- Easy to support, Checkpoint

3- Easy to troubleshoot, Checkpoint w/ tcpdump

4- Cost, Cisco



good luck.





Jon Marshall Tue, 01/08/2008 - 23:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Thought i'd add my thoughts to this.


We use FWSM's in our data centre 6500 switches and if given the choice between having to use a standalone ASA/Pix or the FWSM in this scenario i would go with the FWSM most times (cost allowing). If you are looking to virtualise your data centre in terms of firewalling/load balancing/ VPN services then the 6500 solution is an appealing choice in that it becomes very easy to provision new firewalled/loadbalanced/firewalled + loadbalanced etc.. vlans.


Of course it depends on how much firewalling your are intending to do. To firewall one server vlan with an FWSM would be overkill to say the least and here i may well go with a standalone device.


David makes a good point in that there are hard limits on the FWSM rather than the soft limits you find on some of the standalone devices ie. on the FWSM you can only have x amount of NAT translations or y amount of access-list lines because it is ASIC based and the limits are built in. Software limitations come down to the amount of memory/cpu horsepower etc.


I also agree with David on the management of the devices. Checkpoint have this really sussed and have done for a long time. Cisco's weak point on a lot of their hardware is the management software that goes with it, not an issue if like me you come from a Unix command line background but it is becoming more important to have good provisioning tools for the hardware and Checkpoint is still better in my opinion. To be completely fair Cisco have a hell of a lot more products than checkpoint so intergration of the management tools will always be a challenge.


If you have a 6500 and you are looking to do a sizeable amount of firewalling then the FWSM is a decent choice.


Jon

jploubis Fri, 02/08/2008 - 06:31
User Badges:

Hi Jon,


We have a 6509 with WS-SVC-FWM-1 running 3.2(4).

We also want to make NAT translations for a large number

of customers (each Customers' VLAN will be NATEd to a specific

global IP) ----> we have to configure too many Global Pools :


FWSM# sh resource usage detail

Resource Current Peak Limit Denied Context

memory 252105248 252296040 unlimited 0 System

....

....

....

globals 2000 2000 4204 0 System **********

np-statics 2247 2247 4096 0 System

statics 278 278 2048 0 System

ace-rules 3634 3634 52000 N/A System

....

....

policy-nat-rules 2777 2777 10000 N/A System

fixup-rules 120 120 10000 N/A System


Although we more than 2K nat rules (almost 3k), configuration file doesn't

accept more than 2K global commands :


FWSM(config)# global (outside) 2096 XXX.XXX.XXX.XXX netmask 255.255.255$

INFO: Global XXX.XXX.XXX.XXX will be Port Address Translated

Error: Too Many Global Pools


Any ideas to accept more Global pools, Up to the limit of 4204 ??

(data-sheet info :

max NAT rules 2K

Max Global Pools 4k)


TIA,

John


Actions

This Discussion