Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member


We currently have a number of non cisco security appliances and looking to migrate to Cisco. The question that came up was : do we get ASA's or the Firewall Services Module on our CAT6500 core switches, questions we have are as follows:

1) why would purchase on over the other?

2) is the syntax the same?

3) is the design different between one and the other?

4)is the feature set the same?

5) which is easier to work with?

6) are all the PIX\ASA docs on the cisco website also apply to the FWSM, ie. in terms of configuration, etc.

Anything else we need to know?

Hall of Fame Super Blue


1) Really depends on your topology and your firewall needs. FWSM has greater throughput and intergrates directly into the 6500 chassis so if you were looking to virtualise a data centre setup together with load-balancing/IDS the 6500 solution is a nice of rather expensive solution.

2) Give or take yes. FWSM 2.x code = Pix 6.x code. FWSM 3.x = Pix/ASA 7.x code.

Obviously there are syntax differences but if you know one you won't have much problem with the other.

3) The FWSM has strict hardware limits in terms of ACL's, xlates etc. The ASA doesn't have hard limits it just depends on the memory/CPU etc. The FWSM has direct access to the switch fabric in the 650 chassis.

4) No not really. They are both firewalls but the ASA can also do client/SSL VPN's, site-to-site VPN's, IPS etc.. ie. they are a fully featured security solution.

The FWSM is a firewall and that's it. If you want VPN's you need to bu addtional hardware. If you want IDS you have to buy additional hardware.

Note that with the ASA you also have to purchase modules for some additional functionality but nowhere near the same extent.

5) Not a lot of difference - see 2). Personally i quite like the FWSM but i don't really think one is easier than the order.

6) Yes - do a seach for FWSM configuration for the FWSM docs and likewise for ASA. Cisco is very good at docs and you will find full docs for each bit of kit.

Really does come down to eactly what you are trying to do. If you want an all round security device with more flexibility you may want to look at the ASA's. If you are looking to setup up multiple contexts together with perhaps load-balancing contexts with the ACE module etc. and you need maximum performance and most importantly you only need firewalling the FWSM is a very attractive option.


New Member


Jon, thanks for the thorough reply.

As far as I understand, the FWSM does not have any ports, do you need to use one of the 6500's ports and somehow apply it to the the FWSM?

A typical (physical) setup is as follows:

Internet -->Router -->firewall -->core switch

or simply

Internet -->firewall -->core switch

If the FWSM has no ports how would you connect the router (Internet device) to the FWSM? How does it work with vlans?

I am very familiar with the ASA, it's features, setup, etc. but did not work with the FWSM.

Thank you again

Hall of Fame Super Blue


Every port on the 6500 can be firewalled if that is what you wanted to do. So lets say you have a WS-X6748-GE-TX module which is a fabric enabled 10/100/1000 48 port ethernet module. You could use any of these ports and assign them to the FWSM.

To be specific you don't assign ports as such. What you do is assign vlans to the FWSM and then you would allocate ports into those vlans and they are then automatically firewalled.

So to connect a router to the FWSM you would physically connect the router to the 6500. Lets say you use vlan 10 for this. So this port is allocated into vlan 10. You then assign vlan to the FWSM and then create an interface on the FWSM for vlan 10 and give it an ip address. You would create an interface just as you would with the ASA just that as you say there is no actual physical port.

You need to be aware of collapsing all vlans onto a 6500 chassis if they will be Internet facing. If all you are doing is having Internet facing servers connected to your 6500 switches then the FWSM is okay but if you also have servers connected into the 6500 chassis that are not meant to be accessed from the Internet then i would be more inclined to use separate ASA's together with separate switches.

Because everything is logical with the 6500 FWSM solution ie. no physical separation you can very quickly commission a new DMZ but a slight misconfiguration can have much more serious consequences.

The FWSM is not difficult but it can take a while to get your head around the fact that it is all logical rather than physical.

Is there anything that is leading you to an FWSM rather than ASA devices ??