Re: [fw-wiz] Cisco 2811 vs. ASA 55xx

Cisco ASA units are the replacements/upgrades for the PIX.

However, I would like the original author to clarify/justify this statement:

"Is the lack of flexibility of the ASA justified by the higher performance? "

What lack of flexibility are you referring to? Last I checked, all the Cisco firewall appliances (PIX, ASA) will do RIP (both versions), as well as OSPF well as all the firewall(ing) stuff they are supposed to do. They are security appliances. I'm not real sure what you're trying to do security-wise with a Cisco router that a Cisco firewall appliance cannot do. Out of the box, the Cisco ASA units are supposed to do everything that a 3000-series concentrator will do, as well as a PIX...ASA's are basically a combination of those two products.

For what it's worth, I have a PIX 501 in the home office, and an 8 meg cable line. I see no performance degradations whatsoever using the PIX 501 on that line. I have about 6 site-to-site VPN connections to different customers, and have it set up so that I can VPN into my network when on the road. Again, no performance issues whatsoever.

Not sure what exactly you're looking for as evidence of this. You'll have to explain more.

As for the firewalling feature, PIX and ASA units are dedicated security devices...that means what they are intended to do is act as firewalls. Routers route, firewalls firewall.

Richard Golodner wrote:

Jerry, not being smart here, but why not purchase a firewall with the features you want and save a little $$$, and keep the performance that you desire. Sounds to me like you are a Cisco guy. I would look at the Pix. I like it and have great flexibility as my topology changes. Just a thought on a Friday close to quitting time.

Sincerely, Richard


*From:* firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx] *On Behalf Of *Jerry Gardner
*Sent:* Thursday, October 19, 2006 3:52 PM
*To:* firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx
*Subject:* [fw-wiz] Cisco 2811 vs. ASA 55xx

I just bumped the speed of my DSL connection up to 6MBps and want to replace my existing FW/router box with something with higher performance and more robustness.

I'm thinking of either a Cisco ASA (5505 or 5510) or a Cisco 2811 router. If I go the 2811 route (forgive the pun), I'll get the Advanced Security (with IOS Firewall) feature set.

I like the versatility of the 2811 since I can get an ADSL card to plug in and replace my external modem, but I'm not sure it has enough performance. According to the Cisco data sheets I've read, the 2811 throughput is 61.44 Mbps. Is this real-world throughput with Firewall rules, NAT, and VPN connections active, or is it with everything turned off? A report I read said the real-life throughput is more like 2x T1 lines. This is only 3 Mbps. Who is correct here? If I have a reasonable number of firewall rules active (using the new zone-based firewall features in IOS 12.4), NAT, and terminating a VPN connection or two, will my 6 Mbps line overtax the 2811?

The ASA 5510, on the other hand, is rated for 300 MBps. This seems like a vast improvement on the throughput of the 2811. Is the lack of flexibility of the ASA justified by the higher performance?

How do the firewalling features of IOS Firewall (the new, improved version in 12.4T) compare with those of the ASA?


firewall-wizards mailing list

firewall-wizards mailing list