ASA 5520 or FWSM

Unanswered Question
Oct 6th, 2009

we are currently using an FWSM over 6509 as firewall for our various services.

In the process of studying if it needs to be replaced in by a more complete firewall rather than using a module.

Is ASA 5520 better than FWSM module. If yes, please suggest the differences.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Yudong Wu Tue, 10/06/2009 - 20:33

One big difference is that FWSM does not support VPN but 5520 support various VPN such as IPSec, Web VPN.

Jon Marshall Wed, 10/07/2009 - 04:04

Sunny

As Kevin has noted the ASA supports VPN/IDS/IPS which the FWSM does not.

In addition it really depends on what you are firewalling, the throughput needed etc..

The FWSM will have greater throughput than the 5520. It also integrates directly into the 6500 chassis and if you are also using ACE/CSM modules for load-balancing the FWSM is a good fit. I have used both. I have used FWSMs in a data centre environment where the requirement was to firewall multiple server vlans together with load-balaning. For this scenario the FWSM was a good fit.

But, throughput aside, the same could be done with an ASA 5520 with the additional benefit of being able to add on additional services.

So the answer to your question is do you need more services than just firewalling ie. VPNs, IPS/IDS etc. Note that these additional services can also be provided by 6500 line cards ie. the IDS modules, VPN SPA, but they use slots in the chassis and can be expensive.

Jon

suthomas1 Wed, 10/07/2009 - 07:27

Thanks for the response.

Current fwsm is firewalling various server segments in DC used for access by different locations, although with no loadbalancing.

"The FWSM will have greater throughput than the 5520"- this is a new info for me ..i was under the impression that ASA ( since its a firewall box rather than a module like fwsm) supports more throughput or sessions.

Any specific reasons why fwsm is more sturdy for throughput..is it because of the backplane capacity of 650X switches.

I was looking more from throughput,handling capacity and sessions for replacing fwsm with ASA.

Jon Marshall Wed, 10/07/2009 - 08:28

Sunny

The FWSM can support up to 5.5Gbps throughput and 1 million concurrent connections.

The ASA 5520 can support up to 450Mbps throughput and 280,000 concurrent connections.

So you can see that the FWSM can support a lot more throughput and yes part of the reason is to do with it being integrated into the 6500 chassis.

Note that the ASA 5580s are comparable in terms of performance in throughput to the FWSM.

Attached are links to data sheets for

FWSM - http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html

ASA - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

Jon

Actions

This Discussion