Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5210
Views
23
Helpful
3
Replies

ASA vs. FWSM

angel-moon
Level 3
Level 3

‎02-24-2010 09:07 AM - edited ‎03-11-2019 10:14 AM

All,

I am looking on some realword feedback on comparing the ASA series to the FWSM on a 6500 series.  Looking at things like robustness, flexibilty, IDS/IPS, etc. and anything else that migght be relevant in the real world.

Thanks in advance!  All replies rated

Labels:
0 Helpful
3 Replies 3

Kureli Sankar
Cisco Employee
Cisco Employee

‎02-24-2010 09:11 AM

I'd go with the ASA as the FWSM has limitations which you can read here:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/specs_f.html

Pls. look at feature limits and rule limits.

-KS

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to Kureli Sankar

‎02-24-2010 11:10 AM

It depends on the ASA you are thinking of.

The 5580-40 is much more robust than an FWSM.

Also the 5510, 5520, 5540 have the capability to incorporate an IPS card in them.

The FWSM has some hardware limitations like ACL space.

I would suggest to check what KS suggested and also check the speeds the models you are thinking of can support.

the FWSM has a name maximum throughput about 5.5Gbps.

I hope it helps.

PK

GrumpyBear
Level 1
Level 1

‎02-25-2010 10:29 AM

That depends ...

The FWSMs are weird beasts that run a code version somewhere between PIXOS and ASA.

They have crazy throughput and nice vlan support and integrate tightly with the 6500s.  I met a guy running a huge finacial datacentre who had 6 in a 6509E :-0

We have three pairs of them.  One is in a DataCentre, where these puppies really make sense.

I know lots of hosting providers use them so they can use the virtualization for clients (i.e. one virtual firewall for each client)

The code base doesn't seem to be developed as fast as the ASA it's almost seems to be an afterthought sometimes.

I've got a couple of ASA5580-20s sitting on the loading dock but haven't had time to play with them yet.  We were considering the -40 models with 10gig modules but they are crazy expensive (both the Xenpaks & the two additional CPU & Memory Kits).

A limit with any ASA (correct me if I am wrong please) is that you can't port-channel the interfaces so you are limited to a single Gig on your outside interface which is an issue for us in our data centre (and, like I said the 10Gig modules are insanely expensive).

As for the comments about the IDS - you can get the IDSM2 service modules for the 6500 but, again, they are expensive and limited again to 2 gigE taps.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card