[c-nsp] firewall ios
John Kougoulos
koug at intracom.gr
Tue May 29 05:35:21 EDT 2007
> Hello,
>
> I was wondering if there is any difference between a pix firewall and
> the firewall ios. I have a 2801 router that I would like to buy the
> firewall ios for instead of putting in a pix firewall. Does the
> firewall ios have all of the features of the pix box? I'm currently
> using the router for nbar inspection, route-mapping and natting a few
> internet connections. Will this all still work on the firewall ios?
>
> Thanks,
> Dan.
>
Hello,
there are many pros and cons for both boxes.
Basically the routers seem to be more flexible for making some things
work, eg. you can create a GRE over IPsec tunnel so that you can
represent a remote site connecting to you via a logical interface where
you can specify ACLs etc.
On the other side PIX (currently ASA), seem to have more security
features and knobs embedded. eg object-groups, dce-rpc inspection etc.
Obviously everything reminds the CatOS vs IOS except that the
battlefield is IP security.
I think that since you already have a router to do the "dirty job", I
would go for an ASA.
If you didn't have a box at all, I would go for the router.
But everything depends on the network design you wish to deploy and the
time you have to read the manuals and maintain one more network device.
By the way. It would be really nice if "service object-groups" included
the protocol. eg:
object-group service remoteaccessvpn
service-object proto esp
service-object proto udp src-port 500 dst-port 500
service-object proto udp dst-port 4500
service-object proto tcp src-port gt 1023 dst-port 443
maybe it would be nice to add there the inspection type we prefer also,
although I haven't thought yet of the pros & cons versus
policy-map/class-map style:
service-object proto tcp src-port gt 1023 dst-port 2121 inspect-type ftp
Best Regards,
John Kougoulos
More information about the cisco-nsp
mailing list