Should we use a Firewall (ASA), or Router (such as one with firewall feature set) for security between two company networks. And what is the difference in using one over the other and benefits/cons? I have what I think is the answer I just want to see what the experts say...;-).
The ASA was built as a firewall. The Router was built as a router and the FW functionality came after.
There are multiple differences in the implementation, the features and the functionality of the 2. We are talking about two different beasts. Efficiency, performance and functions I could say are much better on the ASA compared to IOS. ZBF on the router is also harder to manage and follow.
I would definitely use an ASA for firewalling instead of a router, if I could afford having one.
If you only want to use ACLs there aren't many differences.
There are ACL size and performance differences but for real world ACLs (not huge) both are mostly doing the same job. There is a difference that IOS added object groups recently and there are slight differences. But more or less if you just want to use ACLs both will do the same job.
I generally agree with Panos when he says an ASA is the way to go but it is not always that cut and dried. A router comes with a lot more features than an ASA. There is an argument that says the less features the better in terms of bugs in code etc. and there is some truth in this.
But what happens if among your criteria for the device apart from firewalling you needed BGP support and a full QOS feature set. Or you need to terminate a non ethernet connection straight into your firewall. Or you want your firewall to also support MPLS. Then a router is a more logical choice. And yes you could argue for separate devices if you need BGP/full QOS etc. but sometimes the budget just isn't there.
If it is just firewalling then as Panos says ASA is way to go but there can be other considerations.
I have seen a fair few questions on NetPro asking how to send some traffic one way and other traffic another way on an ASA. And it's not possible because the ASA does not support PBR (Policy Based Routing).
This i think is one of the more common things that people want to do with their firewall that would dictate using a router.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...