07-06-2009 05:37 PM - edited 03-04-2019 05:20 AM
I've got a very simple small business setup. In looking for a replacement firewall/router combo, I'm not able to find any comparison of the 500 series router vs the ASA 5505. I know in general these do different functions, but in a small business setup, it appears that these devices would both solve our need. Assuming that's true, is it safe to say the 5505 would be a better solution for our telecommuters to connect into?
07-07-2009 12:05 AM
Hello Liam,
the ASA 5505 is better from a security point of view.
Hope to help
Giuseppe
07-07-2009 05:57 AM
Thanks Giuseppe. That's what I'd think. What about from a performance perspective? Any thoughts?
07-07-2009 09:10 AM
Hello Liam,
I've found the following document that provides some (declared) performances figures for different router platforms and for different ASA platforms.
I don't think you can have performance issues if this is a small business scenario:
Cisco ASA 5505
25 simultaneous VPN connections
100 Mbps
As noted by Collin ASA fits better for remote access using IPsec and vpn client or also you can think of VPN SSL.
Hope to help
Giuseppe
07-07-2009 01:13 AM
Routers are more consistent, easy to configure, feature rich an useable devices.
07-07-2009 05:08 AM
Seeing your other post about the VPN client, I would have to say the ASA. It's easier to setup SSL VPN than a router and I don't think SSL VPN on IOS is even out of T code yet. A router does have more functionality as Jon stated, but for remote access, the ASA is better (IMO).
07-07-2009 11:40 AM
Collin
"A router does have more functionality as Jon stated,"
whilst i'm flattered to be mistaken for Paolo, just like to point out i would go with a ASA as well :-)
Jon
07-07-2009 12:10 PM
Thanks everyone...you're a huge help.
07-07-2009 01:03 PM
I saw the gold star and made an assumption ;-)
07-07-2009 01:10 PM
Hello Jon,
>> whilst i'm flattered to be mistaken for Paolo, just like to point out i would go with a ASA as well :-)
Simply Collin guessed you were going to read this thread!
Best Regards
Giuseppe
07-07-2009 01:12 PM
I know that Jon reads every post!
07-07-2009 01:22 PM
I have exposure to both and I see my colleague swearing all the time with ASA (and he has 10 year experience with them) as there is little debug capability, too many things aren't just possible, and the features are only a fraction of what a router does. Not to mention licensing headaches.
Take DMVPN for example, the modern way of connecting an enterprise over the internet. You need a router for that.
With the router, I always find a way to accommodate what the customer wants and more. Beside, I can debug what's going on and IOS is improved all the time.
Simply I don't see the same with the ASA.
07-07-2009 02:24 PM
Collin / Giuseppe
Not every post, i do have other things to do as well :-)
Paolo
Think all of us in this post have exposure to both types of device. I agree on the debug capabilities, even the pix had better as far as i am concerned. But it is horses for courses and some things are easier on the ASA/Pix than a router.
NAT is a good example. Try to NAT all incoming traffic on the outside interface to the inside interface IP address on a router. Easy to do the reverse ie. NAT overload in to out but not possible out to in. You have to use a NAT pool to achieve what you want. Pix/ASA very easy to do both in to out, out to in. Lost count of the number of times i've wished IOS had that functionality.
Pix/ASA allows sh run from config mode etc.., handy when you are in a rush. I know there is a "do
Pix/ASA uses natural masks in acls instead of wildcard masks, again a small thing but useful.
Then again PBR is possible on a router and not on an ASA/Pix, QOS is more feature rich in IOS etc..
As a doorway to the Internet i would pretty much always go with an ASA/Pix, too much functionality in a router ie. too many things to go wrong unless there was a very good reason not to eg. as you pointed out DMVPN.
Jon
07-07-2009 02:38 PM
Small things first...
In the router, generally I stay in config mode and prefix exec commands with "d ".
"reversed netmask" in ACL don't bother me at all, it helps me reminding that these are NOT netmasks.
Then when you start comparing big things... the ASA just seems to be the eternal looser.
The only reason my customers buy it it's because that is still what cisco sells as "true firewall".
07-07-2009 02:54 PM
Okay, just wanted to offer a different view :-)
"In the router, generally I stay in config mode and prefix exec commands with "d". - yep see previous post.
"The only reason my customers buy it it's because that is still what cisco sells as "true firewall"
It is a true firewall. It is a security device and that is what it was designed for. A router is not a security device although it can function as one. But a router has an awful lot of other code, with possible bugs. The "big things" are often not needed on a pure security device and nor would you necessarily want them.
I'm not arguing either for the router or the ASA, i just don't agree with sweeping statements such as "routers are more consistent, easy to configure..." - it all depends on what you are trying to do.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: