10-22-2009 04:52 AM - edited 03-11-2019 09:29 AM
Say you were asked the following question.
Should we use a Firewall (ASA), or Router (such as one with firewall feature set) for security between two company networks. And what is the difference in using one over the other and benefits/cons? I have what I think is the answer I just want to see what the experts say...;-).
10-22-2009 05:37 AM
ASA is your answer!
The ASA was built as a firewall. The Router was built as a router and the FW functionality came after.
There are multiple differences in the implementation, the features and the functionality of the 2. We are talking about two different beasts. Efficiency, performance and functions I could say are much better on the ASA compared to IOS. ZBF on the router is also harder to manage and follow.
I would definitely use an ASA for firewalling instead of a router, if I could afford having one.
I hope it helps.
PK
10-22-2009 05:40 AM
Thanks PK for your response,
Between just basic packet filtering (router vs. ASA) with ACL's can you describe the main difference if any.
Thanks
10-22-2009 05:45 AM
If you only want to use ACLs there aren't many differences.
There are ACL size and performance differences but for real world ACLs (not huge) both are mostly doing the same job. There is a difference that IOS added object groups recently and there are slight differences. But more or less if you just want to use ACLs both will do the same job.
PK
10-22-2009 05:46 AM
Note that the ASA even with ACLs is smart enough to open return traffic whereas the router checks everything on ACLs if you are not using stateful inspections.
PK
10-22-2009 05:55 AM
Brandon
Just to put another point of view.
I generally agree with Panos when he says an ASA is the way to go but it is not always that cut and dried. A router comes with a lot more features than an ASA. There is an argument that says the less features the better in terms of bugs in code etc. and there is some truth in this.
But what happens if among your criteria for the device apart from firewalling you needed BGP support and a full QOS feature set. Or you need to terminate a non ethernet connection straight into your firewall. Or you want your firewall to also support MPLS. Then a router is a more logical choice. And yes you could argue for separate devices if you need BGP/full QOS etc. but sometimes the budget just isn't there.
If it is just firewalling then as Panos says ASA is way to go but there can be other considerations.
Jon
10-22-2009 06:12 AM
Another thing to consider is that with IOS router, you CAN terminate GRE and IPSec on the same device whereas with ASA you can not terminate GRE on the ASA.
If you're looking for just VPN, then IOS offers much more flexibilities than ASA.
my 2c.
10-22-2009 06:58 AM
Brandon
Just a final point which i forgot to mention.
I have seen a fair few questions on NetPro asking how to send some traffic one way and other traffic another way on an ASA. And it's not possible because the ASA does not support PBR (Policy Based Routing).
This i think is one of the more common things that people want to do with their firewall that would dictate using a router.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: