[c-nsp] ASA vs ISR ZBFW
Gert Doering
gert at greenie.muc.de
Fri Sep 9 11:23:59 EDT 2011
Hi,
On Fri, Sep 09, 2011 at 11:17:39AM -0400, Matthew Huff wrote:
> I understand where this comes from, but the ASA is a bit more modern then the "PIXen".
>
> 1) It now does dynamic routing (RIP, OSPF, EIGRP)
... but still no BGP, which is undoubtly *the* routing protocol that you
want to use if you don't trust your neighbours (due to much better filtering
support) - and "firewall environment" is usually all about "not trusting".
> 2) Nat (as of 8.3+) is now "normal"
Hooray :-)
(Can you do firewalling without NAT these days without configuring
external-to-internal permits as "please do NAT from X to X"?)
> 3) The inspect feature still has issues but is necessary for many protocols and is implemented very similar on the ZBFW in ios.
Just last week I had a customer call due to weird issues with "passive
FTP is not working right"... but indeed that might have been an older
firmware release.
OTOH, I never said the PIX/ASAs are *bad*... there's much worse evil on
the market :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20110909/741503a4/attachment.pgp>
More information about the cisco-nsp
mailing list