cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1281
Views
0
Helpful
17
Replies

500 Series Router vs ASA 5505

liam
Level 1
Level 1

I've got a very simple small business setup. In looking for a replacement firewall/router combo, I'm not able to find any comparison of the 500 series router vs the ASA 5505. I know in general these do different functions, but in a small business setup, it appears that these devices would both solve our need. Assuming that's true, is it safe to say the 5505 would be a better solution for our telecommuters to connect into?

17 Replies 17

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Liam,

the ASA 5505 is better from a security point of view.

Hope to help

Giuseppe

Thanks Giuseppe. That's what I'd think. What about from a performance perspective? Any thoughts?

Hello Liam,

I've found the following document that provides some (declared) performances figures for different router platforms and for different ASA platforms.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72_ns461_Networking_Solutions_Brochure.html

I don't think you can have performance issues if this is a small business scenario:

Cisco ASA 5505

25 simultaneous VPN connections

100 Mbps

As noted by Collin ASA fits better for remote access using IPsec and vpn client or also you can think of VPN SSL.

Hope to help

Giuseppe

paolo bevilacqua
Hall of Fame
Hall of Fame

Routers are more consistent, easy to configure, feature rich an useable devices.

Collin Clark
VIP Alumni
VIP Alumni

Seeing your other post about the VPN client, I would have to say the ASA. It's easier to setup SSL VPN than a router and I don't think SSL VPN on IOS is even out of T code yet. A router does have more functionality as Jon stated, but for remote access, the ASA is better (IMO).

Collin

"A router does have more functionality as Jon stated,"

whilst i'm flattered to be mistaken for Paolo, just like to point out i would go with a ASA as well :-)

Jon

Thanks everyone...you're a huge help.

I saw the gold star and made an assumption ;-)

Hello Jon,

>> whilst i'm flattered to be mistaken for Paolo, just like to point out i would go with a ASA as well :-)

Simply Collin guessed you were going to read this thread!

Best Regards

Giuseppe

I know that Jon reads every post!

I have exposure to both and I see my colleague swearing all the time with ASA (and he has 10 year experience with them) as there is little debug capability, too many things aren't just possible, and the features are only a fraction of what a router does. Not to mention licensing headaches.

Take DMVPN for example, the modern way of connecting an enterprise over the internet. You need a router for that.

With the router, I always find a way to accommodate what the customer wants and more. Beside, I can debug what's going on and IOS is improved all the time.

Simply I don't see the same with the ASA.

Collin / Giuseppe

Not every post, i do have other things to do as well :-)

Paolo

Think all of us in this post have exposure to both types of device. I agree on the debug capabilities, even the pix had better as far as i am concerned. But it is horses for courses and some things are easier on the ASA/Pix than a router.

NAT is a good example. Try to NAT all incoming traffic on the outside interface to the inside interface IP address on a router. Easy to do the reverse ie. NAT overload in to out but not possible out to in. You have to use a NAT pool to achieve what you want. Pix/ASA very easy to do both in to out, out to in. Lost count of the number of times i've wished IOS had that functionality.

Pix/ASA allows sh run from config mode etc.., handy when you are in a rush. I know there is a "do " from config mode on IOS but not all IOS versions.

Pix/ASA uses natural masks in acls instead of wildcard masks, again a small thing but useful.

Then again PBR is possible on a router and not on an ASA/Pix, QOS is more feature rich in IOS etc..

As a doorway to the Internet i would pretty much always go with an ASA/Pix, too much functionality in a router ie. too many things to go wrong unless there was a very good reason not to eg. as you pointed out DMVPN.

Jon

Small things first...

In the router, generally I stay in config mode and prefix exec commands with "d ".

"reversed netmask" in ACL don't bother me at all, it helps me reminding that these are NOT netmasks.

Then when you start comparing big things... the ASA just seems to be the eternal looser.

The only reason my customers buy it it's because that is still what cisco sells as "true firewall".

Okay, just wanted to offer a different view :-)

"In the router, generally I stay in config mode and prefix exec commands with "d". - yep see previous post.

"The only reason my customers buy it it's because that is still what cisco sells as "true firewall"

It is a true firewall. It is a security device and that is what it was designed for. A router is not a security device although it can function as one. But a router has an awful lot of other code, with possible bugs. The "big things" are often not needed on a pure security device and nor would you necessarily want them.

I'm not arguing either for the router or the ASA, i just don't agree with sweeping statements such as "routers are more consistent, easy to configure..." - it all depends on what you are trying to do.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: