Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Regarding Concentrator, ASA and Cisco IOS firewall

Hello friends,

I have little knowledge of security devices , So could someone please clarify that

1). what is the main different configurable option in Concentrator, ASA and Cisco IOS firewall.

2). Why to use Concentrator when we can actually configure and terminate VPNs on firewall.

3). If we can configure Cisco router to act as Cisco IOS firewall then why to use firewall.

Thanks,

Hemant

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Regarding Concentrator, ASA and Cisco IOS firewall

sharma16031981 wrote:

Hello friends,

I have little knowledge of security devices , So could someone please clarify that

1). what is the main different configurable option in Concentrator, ASA and Cisco IOS firewall.

2). Why to use Concentrator when we can actually configure and terminate VPNs on firewall.

3). If we can configure Cisco router to act as Cisco IOS firewall then why to use firewall.

Thanks,

Hemant

Hemant

1)  Concentrator = VPN only

     ASA = firewall/VPN/IDS,IPS

     IOS router = all the above + a lot of other functions

2)  Concentrator used to be a nice and easy dedicated piece of kit to configure with a good web interface. However i think nowadays most people would go for an ASA to terminate VPNs rather than a concentrator

3) Well, a router can do a lot of things. It can be a firewall, a VPN terminator etc.. and if you were looking to run DMVPN for instance where you wanted a dynamic routing protocol then it would be the choice to make. In fact there are people who argue why buy anything but a router in for this sort of thing but personally i think ASA devices have their place. For a start they are designed to be firewall whereas routers are not - CBAC on IOS routers is an additional feature and it can hit the CPU quite hard. In addition routers by definition support a lot more features, hence have more code, hence have more bugs.

If you want to firewall then i would say go with the ASA not a router unless

a) you can't afford separate devices in which case you may want to combine functionality into a router

or

b) you need additional features that a router supplies that a firewall can't ie. PBR would be a good example. Additional here meaning you want a firewall with PBR on one device which would mean a router.

There is an increasing amount of overlap in devices and what they will do and you can often combine certain functions into one device but still it's fair to say routers primary function is to route traffic from A -> B and firewalls primary function is to allow/restrict traffic from A -> B. Trying to use one to do the other is acceptable but you need to know what you are doing.  As an example search on this site for "ASA PBR" and you'll see what i mean ie. people want to policy route traffic but they only have an ASA and so simply can't.

Jon

1 REPLY
Hall of Fame Super Blue

Re: Regarding Concentrator, ASA and Cisco IOS firewall

sharma16031981 wrote:

Hello friends,

I have little knowledge of security devices , So could someone please clarify that

1). what is the main different configurable option in Concentrator, ASA and Cisco IOS firewall.

2). Why to use Concentrator when we can actually configure and terminate VPNs on firewall.

3). If we can configure Cisco router to act as Cisco IOS firewall then why to use firewall.

Thanks,

Hemant

Hemant

1)  Concentrator = VPN only

     ASA = firewall/VPN/IDS,IPS

     IOS router = all the above + a lot of other functions

2)  Concentrator used to be a nice and easy dedicated piece of kit to configure with a good web interface. However i think nowadays most people would go for an ASA to terminate VPNs rather than a concentrator

3) Well, a router can do a lot of things. It can be a firewall, a VPN terminator etc.. and if you were looking to run DMVPN for instance where you wanted a dynamic routing protocol then it would be the choice to make. In fact there are people who argue why buy anything but a router in for this sort of thing but personally i think ASA devices have their place. For a start they are designed to be firewall whereas routers are not - CBAC on IOS routers is an additional feature and it can hit the CPU quite hard. In addition routers by definition support a lot more features, hence have more code, hence have more bugs.

If you want to firewall then i would say go with the ASA not a router unless

a) you can't afford separate devices in which case you may want to combine functionality into a router

or

b) you need additional features that a router supplies that a firewall can't ie. PBR would be a good example. Additional here meaning you want a firewall with PBR on one device which would mean a router.

There is an increasing amount of overlap in devices and what they will do and you can often combine certain functions into one device but still it's fair to say routers primary function is to route traffic from A -> B and firewalls primary function is to allow/restrict traffic from A -> B. Trying to use one to do the other is acceptable but you need to know what you are doing.  As an example search on this site for "ASA PBR" and you'll see what i mean ie. people want to policy route traffic but they only have an ASA and so simply can't.

Jon

190
Views
0
Helpful
1
Replies
CreatePlease login to create content