Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

500 Series Router vs ASA 5505

I've got a very simple small business setup. In looking for a replacement firewall/router combo, I'm not able to find any comparison of the 500 series router vs the ASA 5505. I know in general these do different functions, but in a small business setup, it appears that these devices would both solve our need. Assuming that's true, is it safe to say the 5505 would be a better solution for our telecommuters to connect into?

17 REPLIES
Hall of Fame Super Silver

Re: 500 Series Router vs ASA 5505

Hello Liam,

the ASA 5505 is better from a security point of view.

Hope to help

Giuseppe

New Member

Re: 500 Series Router vs ASA 5505

Thanks Giuseppe. That's what I'd think. What about from a performance perspective? Any thoughts?

Hall of Fame Super Silver

Re: 500 Series Router vs ASA 5505

Hello Liam,

I've found the following document that provides some (declared) performances figures for different router platforms and for different ASA platforms.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72_ns461_Networking_Solutions_Brochure.html

I don't think you can have performance issues if this is a small business scenario:

Cisco ASA 5505

25 simultaneous VPN connections

100 Mbps

As noted by Collin ASA fits better for remote access using IPsec and vpn client or also you can think of VPN SSL.

Hope to help

Giuseppe

Hall of Fame Super Gold

Re: 500 Series Router vs ASA 5505

Routers are more consistent, easy to configure, feature rich an useable devices.

Re: 500 Series Router vs ASA 5505

Seeing your other post about the VPN client, I would have to say the ASA. It's easier to setup SSL VPN than a router and I don't think SSL VPN on IOS is even out of T code yet. A router does have more functionality as Jon stated, but for remote access, the ASA is better (IMO).

Hall of Fame Super Blue

Re: 500 Series Router vs ASA 5505

Collin

"A router does have more functionality as Jon stated,"

whilst i'm flattered to be mistaken for Paolo, just like to point out i would go with a ASA as well :-)

Jon

New Member

Re: 500 Series Router vs ASA 5505

Thanks everyone...you're a huge help.

Re: 500 Series Router vs ASA 5505

I saw the gold star and made an assumption ;-)

Hall of Fame Super Silver

Re: 500 Series Router vs ASA 5505

Hello Jon,

>> whilst i'm flattered to be mistaken for Paolo, just like to point out i would go with a ASA as well :-)

Simply Collin guessed you were going to read this thread!

Best Regards

Giuseppe

Re: 500 Series Router vs ASA 5505

I know that Jon reads every post!

Hall of Fame Super Gold

Re: 500 Series Router vs ASA 5505

I have exposure to both and I see my colleague swearing all the time with ASA (and he has 10 year experience with them) as there is little debug capability, too many things aren't just possible, and the features are only a fraction of what a router does. Not to mention licensing headaches.

Take DMVPN for example, the modern way of connecting an enterprise over the internet. You need a router for that.

With the router, I always find a way to accommodate what the customer wants and more. Beside, I can debug what's going on and IOS is improved all the time.

Simply I don't see the same with the ASA.

Hall of Fame Super Blue

Re: 500 Series Router vs ASA 5505

Collin / Giuseppe

Not every post, i do have other things to do as well :-)

Paolo

Think all of us in this post have exposure to both types of device. I agree on the debug capabilities, even the pix had better as far as i am concerned. But it is horses for courses and some things are easier on the ASA/Pix than a router.

NAT is a good example. Try to NAT all incoming traffic on the outside interface to the inside interface IP address on a router. Easy to do the reverse ie. NAT overload in to out but not possible out to in. You have to use a NAT pool to achieve what you want. Pix/ASA very easy to do both in to out, out to in. Lost count of the number of times i've wished IOS had that functionality.

Pix/ASA allows sh run from config mode etc.., handy when you are in a rush. I know there is a "do " from config mode on IOS but not all IOS versions.

Pix/ASA uses natural masks in acls instead of wildcard masks, again a small thing but useful.

Then again PBR is possible on a router and not on an ASA/Pix, QOS is more feature rich in IOS etc..

As a doorway to the Internet i would pretty much always go with an ASA/Pix, too much functionality in a router ie. too many things to go wrong unless there was a very good reason not to eg. as you pointed out DMVPN.

Jon

Hall of Fame Super Gold

Re: 500 Series Router vs ASA 5505

Small things first...

In the router, generally I stay in config mode and prefix exec commands with "d ".

"reversed netmask" in ACL don't bother me at all, it helps me reminding that these are NOT netmasks.

Then when you start comparing big things... the ASA just seems to be the eternal looser.

The only reason my customers buy it it's because that is still what cisco sells as "true firewall".

Hall of Fame Super Blue

Re: 500 Series Router vs ASA 5505

Okay, just wanted to offer a different view :-)

"In the router, generally I stay in config mode and prefix exec commands with "d". - yep see previous post.

"The only reason my customers buy it it's because that is still what cisco sells as "true firewall"

It is a true firewall. It is a security device and that is what it was designed for. A router is not a security device although it can function as one. But a router has an awful lot of other code, with possible bugs. The "big things" are often not needed on a pure security device and nor would you necessarily want them.

I'm not arguing either for the router or the ASA, i just don't agree with sweeping statements such as "routers are more consistent, easy to configure..." - it all depends on what you are trying to do.

Jon

Hall of Fame Super Gold

Re: 500 Series Router vs ASA 5505

Jon, to be honest with you, I have exactly the same feeling toward your statements - that are sweeping and generic ones:

It is a true firewall. It is a security device and that is what it was designed for. A router is not a security device although it can function as one. But a router has an awful lot of other code, with possible bugs.

I was with cisco when the PIX was initially introduced. The above was one of the sales pitches for customers. Another was that since it wasn't unix like other FWs, it was "more secure" intrinsically. We as SE had good laughs at that, but were very happy to sell anyway. Of course over time the PIX had its share of bugs and security advisories.

Regarding what I'm trying to do, basically it's always the same, deploy the smaller number of boxes that do the larger set of functions. I that find nothing beats a router in that, since 15 years now.

Hall of Fame Super Blue

Re: 500 Series Router vs ASA 5505

Paolo

"Jon, to be honest with you, I have exactly the same feeling toward your statements - that are sweeping and generic ones:"

Fair enough, no offense intended. I still believe you deploy the device that fits the situation and that a router is not always the best option but i have deployed an awful lot of routers in my time :-)

Good discussion.

Jon

Hall of Fame Super Gold

Re: 500 Series Router vs ASA 5505

Appreciated, thank you.

532
Views
0
Helpful
17
Replies