[c-nsp] FWSM, Contexts and ASA's

Christian Koch christian at visr.org
Wed Feb 13 13:14:17 EST 2008


Mark,

these were my concerns, per your comment as acting as a perimeter firewall.

i appreciate the info and feedback this is going to be very helpful and will
help me present my case to keep corp/infrastructure firewalls on standalone
asa's



On Feb 13, 2008 1:06 PM, Mark Kent <mark at noc.mainstreet.net> wrote:

> AFAIK, the FWSM is not going to be able to be a general perimeter
> firewall, in conjunction with other contexts.  That is, if you think
> "Hey, I've got multiple contexts, why not use one for general
> Internet filtering and then that can funnel into per-customer
> and/or per-businessUnit contexts?" then the answer is "it'll confuse
> the classifier for outbound traffic"
>
> The fwsm does not seem to be as "advanced" as the ASA in at least
> a few ways (no enhanced object groups, no ability to tie a unique MAC
> address to shared interfaces).
>
> Also, multiple contexts means static routing.
>
> Regarding this:
>
> > I would also ask a strategy question, Do you think the FWSM
> > product really has a future compared to ASA?
>
> Is that rhetorical?  Is it generally believed that the answer is "No"?
>
> Regarding this comment:
>
> > We recently had an issue where one of the network processors in an
> > FWSM got confused and refused to pass traffic for new flows.
>
> I think that happened to me yesterday (with 3.2(4)).  Spent hours
> trying to figure out what was going on, finally ripped out the
> contexts, redefined them and all was OK.  This isn't even in
> production yet (i.e., no real load).
>
> Thanks,
> -mark
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list