Cisco ASA/PIX vs Cisco Routers

chmodchmod Member Posts: 360 ■■■□□□□□□□
Im wondering what are the main differences between this 2 devices?.
I know 1 is a oruter and the other is firewall but according to the cisco website, a router 1800 or 2800 comes with firewall/VPN features so is basically the same thing.
I would like to read suggestions, comments, experiences. I want to make the right decision before to spent $$$.


  • scheistermeisterscheistermeister Member Posts: 748 ■□□□□□□□□□
    The firewall that comes on routers is the software IOS firewall (CBAC). Since I have never worked with ASA/PIX I would not know what those are like exactly, but I would assume they are a hardware based firewall.
    Give a man fire and he'll be warm for a day. Set a man on fire and he'll be warm for the rest of his life.
  • malcyboodmalcybood Member Posts: 900 ■■■□□□□□□□
    It depends on what model of router you are talking about and what modules you have installed but ASA's are actual security devices that can accomodate functions such as IPSec VPN, SSL VPN, Firewall, IPS / IDS etc all on the same box.

    Routers are typically used for routing with some security functionality depending on which modules are installed. For example if all you wanted to do is have a head end device for IPSec site-to-site VPNs you could buy a 2851 or dual 2851's running HSRP and install a VPN accelerator which would give you 3000 VPN tunnels in active / active or 1500 on each in active standby.

    ASA info

    ASA's are substantialy more expensive than say a 2851 router also
  • tierstentiersten Member Posts: 4,505
    ASAs (at least the regular ones. No idea if the massive versions are the same) are all software as well. Their advantage over an ISR is that they've got significantly more processing power and memory.
  • chmodchmod Member Posts: 360 ■■■□□□□□□□
    Basically if i purchase a router(example a 2821 with all the modules), i can get the same functionality of an ASA.
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,800 ■■■■■■■■□□
    Nope. One biggy is an ASA is stateful out of the box, so for internet access with routers you need to configure CBAC or spend a fair amount of time configuring rules for outbound/inbound traffic whereas with a PIX/ASA it would already be protecting you decently with minimal configuration. Translations are easier and more versatile on the ASA and as has been mentioned it's processing power for security functions is greater. If you are just using either as a VPN client at a remote site then a router with IPsec features that can handle the throughput you'll need would be fine but if you want a multifunction internet facing device the ASA is a better choice.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • dtlokeedtlokee Member Posts: 2,381
    There are a number of security capabilities on the ASA that have no counterpart on the IOS router. Zone based firewall help improve some of the granularity of the IOS firewall but one issue still remains with nat between interfaces and how you can better control the data flow.

    One thing is for sure, I had a customer fail an PCI audit due to using an IOS firewall for an Internet connection.
    The only easy day was yesterday!
Sign In or Register to comment.