Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA vs. FWSM

All,

I am looking on some realword feedback on comparing the ASA series to the FWSM on a 6500 series.  Looking at things like robustness, flexibilty, IDS/IPS, etc. and anything else that migght be relevant in the real world.

Thanks in advance!  All replies rated

3 REPLIES
Cisco Employee

Re: ASA vs. FWSM

I'd go with the ASA as the FWSM has limitations which you can read here:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/specs_f.html

Pls. look at feature limits and rule limits.

-KS

Cisco Employee

Re: ASA vs. FWSM

It depends on the ASA you are thinking of.

The 5580-40 is much more robust than an FWSM.

Also the 5510, 5520, 5540 have the capability to incorporate an IPS card in them.

The FWSM has some hardware limitations like ACL space.

I would suggest to check what KS suggested and also check the speeds the models you are thinking of can support.

the FWSM has a name maximum throughput about 5.5Gbps.

I hope it helps.

PK

New Member

Re: ASA vs. FWSM

That depends ...

The FWSMs are weird beasts that run a code version somewhere between PIXOS and ASA.

They have crazy throughput and nice vlan support and integrate tightly with the 6500s.  I met a guy running a huge finacial datacentre who had 6 in a 6509E :-0

We have three pairs of them.  One is in a DataCentre, where these puppies really make sense.

I know lots of hosting providers use them so they can use the virtualization for clients (i.e. one virtual firewall for each client)

The code base doesn't seem to be developed as fast as the ASA it's almost seems to be an afterthought sometimes.

I've got a couple of ASA5580-20s sitting on the loading dock but haven't had time to play with them yet.  We were considering the -40 models with 10gig modules but they are crazy expensive (both the Xenpaks & the two additional CPU & Memory Kits).

A limit with any ASA (correct me if I am wrong please) is that you can't port-channel the interfaces so you are limited to a single Gig on your outside interface which is an issue for us in our data centre (and, like I said the 10Gig modules are insanely expensive).

As for the comments about the IDS - you can get the IDSM2 service modules for the 6500 but, again, they are expensive and limited again to 2 gigE taps.

4619
Views
23
Helpful
3
Replies
CreatePlease to create content