I've got a very simple small business setup. In looking for a replacement firewall/router combo, I'm not able to find any comparison of the 500 series router vs the ASA 5505. I know in general these do different functions, but in a small business setup, it appears that these devices would both solve our need. Assuming that's true, is it safe to say the 5505 would be a better solution for our telecommuters to connect into?
I've found the following document that provides some (declared) performances figures for different router platforms and for different ASA platforms.
I don't think you can have performance issues if this is a small business scenario:
Cisco ASA 5505
25 simultaneous VPN connections
As noted by Collin ASA fits better for remote access using IPsec and vpn client or also you can think of VPN SSL.
Hope to help
Seeing your other post about the VPN client, I would have to say the ASA. It's easier to setup SSL VPN than a router and I don't think SSL VPN on IOS is even out of T code yet. A router does have more functionality as Jon stated, but for remote access, the ASA is better (IMO).
"A router does have more functionality as Jon stated,"
whilst i'm flattered to be mistaken for Paolo, just like to point out i would go with a ASA as well :-)
>> whilst i'm flattered to be mistaken for Paolo, just like to point out i would go with a ASA as well :-)
Simply Collin guessed you were going to read this thread!
I have exposure to both and I see my colleague swearing all the time with ASA (and he has 10 year experience with them) as there is little debug capability, too many things aren't just possible, and the features are only a fraction of what a router does. Not to mention licensing headaches.
Take DMVPN for example, the modern way of connecting an enterprise over the internet. You need a router for that.
With the router, I always find a way to accommodate what the customer wants and more. Beside, I can debug what's going on and IOS is improved all the time.
Simply I don't see the same with the ASA.
Collin / Giuseppe
Not every post, i do have other things to do as well :-)
Think all of us in this post have exposure to both types of device. I agree on the debug capabilities, even the pix had better as far as i am concerned. But it is horses for courses and some things are easier on the ASA/Pix than a router.
NAT is a good example. Try to NAT all incoming traffic on the outside interface to the inside interface IP address on a router. Easy to do the reverse ie. NAT overload in to out but not possible out to in. You have to use a NAT pool to achieve what you want. Pix/ASA very easy to do both in to out, out to in. Lost count of the number of times i've wished IOS had that functionality.
Pix/ASA allows sh run from config mode etc.., handy when you are in a rush. I know there is a "do
Pix/ASA uses natural masks in acls instead of wildcard masks, again a small thing but useful.
Then again PBR is possible on a router and not on an ASA/Pix, QOS is more feature rich in IOS etc..
As a doorway to the Internet i would pretty much always go with an ASA/Pix, too much functionality in a router ie. too many things to go wrong unless there was a very good reason not to eg. as you pointed out DMVPN.
Small things first...
In the router, generally I stay in config mode and prefix exec commands with "d ".
"reversed netmask" in ACL don't bother me at all, it helps me reminding that these are NOT netmasks.
Then when you start comparing big things... the ASA just seems to be the eternal looser.
The only reason my customers buy it it's because that is still what cisco sells as "true firewall".
Okay, just wanted to offer a different view :-)
"In the router, generally I stay in config mode and prefix exec commands with "d". - yep see previous post.
"The only reason my customers buy it it's because that is still what cisco sells as "true firewall"
It is a true firewall. It is a security device and that is what it was designed for. A router is not a security device although it can function as one. But a router has an awful lot of other code, with possible bugs. The "big things" are often not needed on a pure security device and nor would you necessarily want them.
I'm not arguing either for the router or the ASA, i just don't agree with sweeping statements such as "routers are more consistent, easy to configure..." - it all depends on what you are trying to do.
Jon, to be honest with you, I have exactly the same feeling toward your statements - that are sweeping and generic ones:
It is a true firewall. It is a security device and that is what it was designed for. A router is not a security device although it can function as one. But a router has an awful lot of other code, with possible bugs.
I was with cisco when the PIX was initially introduced. The above was one of the sales pitches for customers. Another was that since it wasn't unix like other FWs, it was "more secure" intrinsically. We as SE had good laughs at that, but were very happy to sell anyway. Of course over time the PIX had its share of bugs and security advisories.
Regarding what I'm trying to do, basically it's always the same, deploy the smaller number of boxes that do the larger set of functions. I that find nothing beats a router in that, since 15 years now.
"Jon, to be honest with you, I have exactly the same feeling toward your statements - that are sweeping and generic ones:"
Fair enough, no offense intended. I still believe you deploy the device that fits the situation and that a router is not always the best option but i have deployed an awful lot of routers in my time :-)