Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

C2921 firewall vs. ASA 5510

Hello, can you please point out a comparison between C2921 router firewall and ASA5510.

Also, do you think C2921 can replace ASA 5510? Thanks.

Everyone's tags (6)
2 REPLIES
Hall of Fame Super Silver

C2921 firewall vs. ASA 5510

Some thoughts:

A 2921 router would be running IOS Zone-based firewall (ZBFW). That's quite a different setup than as ASA which does firewall plus much more security-wise.

The community knowledge is much more widespread for ASA firewall vs. ZBFW.

Configuration is much more accessible for ASA using ASDM and its wizards vs. Cisco Configuration Professional for the 2921. Also tools such as packet capture are much simpler on the ASA.

ASA firewall performance will typically be higher due to custom-built ASICs (although VPN ASC in 2921 helps).

An IOS ZBFW can do DMVPN which an ASA cannot.

A router can run multiple routing protocols. An ASA is limited to EIGRP and OSPF and not all features of those are available.

Hope this helps.

Re: C2921 firewall vs. ASA 5510

One of the advantages from my perspective would be that the IOS router will support Routing protocols on a extended way than the ASA.

The router supports Policed Based Routing ( Route based on source Ip addresses)

The router does QoS on an extended way than the ASA,etc.

The thing is that by default the router is not a security device so we will need to configure them on a way that they can protect our network.

If you ask me what do I prefer (If ZBFW or CBAC witch are the 2 Firewall built in options on an IOS router):

     I would recommend you 100% ZBFW witch lets you be more flexible with your actions to security policies. ( You  can be as granular as you want )

Regards,

Julio

Cisco TAC Engineer

Hope I could help,

PD: The ASA for monitoring and troubleshooting is the best option in the market on the security area.

       The ASA is capable of having a local-host table, Conn table to correlate events,etc.

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
784
Views
0
Helpful
2
Replies