Regarding Concentrator, ASA and Cisco IOS firewall

Answered Question
Jan 9th, 2010
User Badges:

Hello friends,


I have little knowledge of security devices , So could someone please clarify that


1). what is the main different configurable option in Concentrator, ASA and Cisco IOS firewall.


2). Why to use Concentrator when we can actually configure and terminate VPNs on firewall.


3). If we can configure Cisco router to act as Cisco IOS firewall then why to use firewall.


Thanks,

Hemant

Correct Answer by Jon Marshall about 7 years 5 months ago

sharma16031981 wrote:


Hello friends,


I have little knowledge of security devices , So could someone please clarify that


1). what is the main different configurable option in Concentrator, ASA and Cisco IOS firewall.


2). Why to use Concentrator when we can actually configure and terminate VPNs on firewall.


3). If we can configure Cisco router to act as Cisco IOS firewall then why to use firewall.


Thanks,

Hemant


Hemant


1)  Concentrator = VPN only

     ASA = firewall/VPN/IDS,IPS

     IOS router = all the above + a lot of other functions


2)  Concentrator used to be a nice and easy dedicated piece of kit to configure with a good web interface. However i think nowadays most people would go for an ASA to terminate VPNs rather than a concentrator


3) Well, a router can do a lot of things. It can be a firewall, a VPN terminator etc.. and if you were looking to run DMVPN for instance where you wanted a dynamic routing protocol then it would be the choice to make. In fact there are people who argue why buy anything but a router in for this sort of thing but personally i think ASA devices have their place. For a start they are designed to be firewall whereas routers are not - CBAC on IOS routers is an additional feature and it can hit the CPU quite hard. In addition routers by definition support a lot more features, hence have more code, hence have more bugs.


If you want to firewall then i would say go with the ASA not a router unless


a) you can't afford separate devices in which case you may want to combine functionality into a router


or


b) you need additional features that a router supplies that a firewall can't ie. PBR would be a good example. Additional here meaning you want a firewall with PBR on one device which would mean a router.


There is an increasing amount of overlap in devices and what they will do and you can often combine certain functions into one device but still it's fair to say routers primary function is to route traffic from A -> B and firewalls primary function is to allow/restrict traffic from A -> B. Trying to use one to do the other is acceptable but you need to know what you are doing.  As an example search on this site for "ASA PBR" and you'll see what i mean ie. people want to policy route traffic but they only have an ASA and so simply can't.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Sat, 01/09/2010 - 13:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

sharma16031981 wrote:


Hello friends,


I have little knowledge of security devices , So could someone please clarify that


1). what is the main different configurable option in Concentrator, ASA and Cisco IOS firewall.


2). Why to use Concentrator when we can actually configure and terminate VPNs on firewall.


3). If we can configure Cisco router to act as Cisco IOS firewall then why to use firewall.


Thanks,

Hemant


Hemant


1)  Concentrator = VPN only

     ASA = firewall/VPN/IDS,IPS

     IOS router = all the above + a lot of other functions


2)  Concentrator used to be a nice and easy dedicated piece of kit to configure with a good web interface. However i think nowadays most people would go for an ASA to terminate VPNs rather than a concentrator


3) Well, a router can do a lot of things. It can be a firewall, a VPN terminator etc.. and if you were looking to run DMVPN for instance where you wanted a dynamic routing protocol then it would be the choice to make. In fact there are people who argue why buy anything but a router in for this sort of thing but personally i think ASA devices have their place. For a start they are designed to be firewall whereas routers are not - CBAC on IOS routers is an additional feature and it can hit the CPU quite hard. In addition routers by definition support a lot more features, hence have more code, hence have more bugs.


If you want to firewall then i would say go with the ASA not a router unless


a) you can't afford separate devices in which case you may want to combine functionality into a router


or


b) you need additional features that a router supplies that a firewall can't ie. PBR would be a good example. Additional here meaning you want a firewall with PBR on one device which would mean a router.


There is an increasing amount of overlap in devices and what they will do and you can often combine certain functions into one device but still it's fair to say routers primary function is to route traffic from A -> B and firewalls primary function is to allow/restrict traffic from A -> B. Trying to use one to do the other is acceptable but you need to know what you are doing.  As an example search on this site for "ASA PBR" and you'll see what i mean ie. people want to policy route traffic but they only have an ASA and so simply can't.


Jon

Actions

This Discussion