Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM v ASA

folks

i have a data centre which needs a firewall in front of it and i'm being told to use a fwsm since there is a 6500 in place

my problem is i don't manage the switch and i prefer the idea of physical separation

i also have no experience of dealing with the fwsm - is it exactly the same as the asa and has it the same full functionality

also does it use the 6500 switch for inbound and outbound ports?

thanks to anyone taking the time to reply

5 REPLIES

Re: FWSM v ASA

It all depends, I have been in large organizations where they had FWSM in a redundant architecture using dual 6509 core with FWSM modules in each in their server switch block farm servicing 300+ servers but separated from the users switch block, FWSM configuration initially may differ from that of PIX and ASA depending how it is been deployed if Routed , transparent or context modes , but once that initial FWSM deployment is established the syntax and functionality is the same as the ASA firewalls , same principle in deploying FWSM in standalone or active/failover or active/active etc.. all same principle I personally like to idea of separation as well for administration, I have deal with PIX and recently started with ASA, but FWSM I must say my comment is based on reading. A book recently obtained few months ago from Ciscopress presented the three platforms covering syntax CLI for PIX ASA and FWSM to reveal that almost %95 of CLI is the same, of course depending on what code version they run into few changes in some commands as it may varied from code to code and some commands deprecated but I believe if you have worked with PIX, you can deal with ASA and FWSM and the other way around.

Here are some of most common Q&A on FWSM

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_qanda_item09186a00801e9e26.shtml

ASA solutions

http://www.cisco.com/en/US/products/ps6120/prod_brochure_list.html

Rgds

Jorge

New Member

Re: FWSM v ASA

jorge

many thanks for your reply

gratefully appreciated

Silver

Re: FWSM v ASA

Here is my take on this:

We also have a data center where we

house about 700+ servers, Solaris, Linux,

Windows, etc... We also do not manage these

switches ourselves.

If you have simple rulebases, then it probably

makes sense to go with ASA or FWSM. However,

in our situation, we have very complex rulebase, about 900+ rules in the firewalls,

with lot of hosts/network group objects and

service group objects. Doing this with either ASA or FWSM is not a desirable solution.

Furthermore, if you decide to use FWSM, please

be aware of the limitations regarding the

number of lines you can have in the configuration, <64K lines or something in

single context and <128K in multiple context.

When you talk about complex rulebases with

multiple object-groups, those lines can

multiply in a hurry. I think same thing

apply to Pix/ASA. The other thing you have

to consider is support. When you've

complex rulebase with complex NAT, you

increase the possibility of an outtage.

Anyway, in our situation, we decided to use

Checkpoint NGx R65 firewalls on

Secureplatforms, managing via Checkpoint

Provider-1 centralize management. We

configure checkpoint to run Active/Active/Active mode, cluster mode.

Yes, checkpoint is expensive but managing

the rulebase is very simple.

Those are the things you must consider

in deploying firewalls at your data center:

1- Easy to configure, Cisco

2- Easy to support, Checkpoint

3- Easy to troubleshoot, Checkpoint w/ tcpdump

4- Cost, Cisco

good luck.

Hall of Fame Super Blue

Re: FWSM v ASA

Hi

Thought i'd add my thoughts to this.

We use FWSM's in our data centre 6500 switches and if given the choice between having to use a standalone ASA/Pix or the FWSM in this scenario i would go with the FWSM most times (cost allowing). If you are looking to virtualise your data centre in terms of firewalling/load balancing/ VPN services then the 6500 solution is an appealing choice in that it becomes very easy to provision new firewalled/loadbalanced/firewalled + loadbalanced etc.. vlans.

Of course it depends on how much firewalling your are intending to do. To firewall one server vlan with an FWSM would be overkill to say the least and here i may well go with a standalone device.

David makes a good point in that there are hard limits on the FWSM rather than the soft limits you find on some of the standalone devices ie. on the FWSM you can only have x amount of NAT translations or y amount of access-list lines because it is ASIC based and the limits are built in. Software limitations come down to the amount of memory/cpu horsepower etc.

I also agree with David on the management of the devices. Checkpoint have this really sussed and have done for a long time. Cisco's weak point on a lot of their hardware is the management software that goes with it, not an issue if like me you come from a Unix command line background but it is becoming more important to have good provisioning tools for the hardware and Checkpoint is still better in my opinion. To be completely fair Cisco have a hell of a lot more products than checkpoint so intergration of the management tools will always be a challenge.

If you have a 6500 and you are looking to do a sizeable amount of firewalling then the FWSM is a decent choice.

Jon

New Member

Re: FWSM v ASA

Hi Jon,

We have a 6509 with WS-SVC-FWM-1 running 3.2(4).

We also want to make NAT translations for a large number

of customers (each Customers' VLAN will be NATEd to a specific

global IP) ----> we have to configure too many Global Pools :

FWSM# sh resource usage detail

Resource Current Peak Limit Denied Context

memory 252105248 252296040 unlimited 0 System

....

....

....

globals 2000 2000 4204 0 System **********

np-statics 2247 2247 4096 0 System

statics 278 278 2048 0 System

ace-rules 3634 3634 52000 N/A System

....

....

policy-nat-rules 2777 2777 10000 N/A System

fixup-rules 120 120 10000 N/A System

Although we more than 2K nat rules (almost 3k), configuration file doesn't

accept more than 2K global commands :

FWSM(config)# global (outside) 2096 XXX.XXX.XXX.XXX netmask 255.255.255$

INFO: Global XXX.XXX.XXX.XXX will be Port Address Translated

Error: Too Many Global Pools

Any ideas to accept more Global pools, Up to the limit of 4204 ??

(data-sheet info :

max NAT rules 2K

Max Global Pools 4k)

TIA,

John

424
Views
15
Helpful
5
Replies