It all depends, I have been in large organizations where they had FWSM in a redundant architecture using dual 6509 core with FWSM modules in each in their server switch block farm servicing 300+ servers but separated from the users switch block, FWSM configuration initially may differ from that of PIX and ASA depending how it is been deployed if Routed , transparent or context modes , but once that initial FWSM deployment is established the syntax and functionality is the same as the ASA firewalls , same principle in deploying FWSM in standalone or active/failover or active/active etc.. all same principle I personally like to idea of separation as well for administration, I have deal with PIX and recently started with ASA, but FWSM I must say my comment is based on reading. A book recently obtained few months ago from Ciscopress presented the three platforms covering syntax CLI for PIX ASA and FWSM to reveal that almost %95 of CLI is the same, of course depending on what code version they run into few changes in some commands as it may varied from code to code and some commands deprecated but I believe if you have worked with PIX, you can deal with ASA and FWSM and the other way around.
We use FWSM's in our data centre 6500 switches and if given the choice between having to use a standalone ASA/Pix or the FWSM in this scenario i would go with the FWSM most times (cost allowing). If you are looking to virtualise your data centre in terms of firewalling/load balancing/ VPN services then the 6500 solution is an appealing choice in that it becomes very easy to provision new firewalled/loadbalanced/firewalled + loadbalanced etc.. vlans.
Of course it depends on how much firewalling your are intending to do. To firewall one server vlan with an FWSM would be overkill to say the least and here i may well go with a standalone device.
David makes a good point in that there are hard limits on the FWSM rather than the soft limits you find on some of the standalone devices ie. on the FWSM you can only have x amount of NAT translations or y amount of access-list lines because it is ASIC based and the limits are built in. Software limitations come down to the amount of memory/cpu horsepower etc.
I also agree with David on the management of the devices. Checkpoint have this really sussed and have done for a long time. Cisco's weak point on a lot of their hardware is the management software that goes with it, not an issue if like me you come from a Unix command line background but it is becoming more important to have good provisioning tools for the hardware and Checkpoint is still better in my opinion. To be completely fair Cisco have a hell of a lot more products than checkpoint so intergration of the management tools will always be a challenge.
If you have a 6500 and you are looking to do a sizeable amount of firewalling then the FWSM is a decent choice.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...