ASA 5505 or 2800 Router

G

gigabyte1024

[H]ard|Gawd
Joined
Mar 10, 2001
Messages
2,027
I manage a medium sized network that consists of about 8 VPN tunnels.
Those are small offices (4 - 12 users ea) connecting back to a common colo.

Currently they use a 2600 series router to do the tunnels back to a PIX firewall.

If I were to update, what would be the pros and cons of updating to an ASA 5505 vs a 2800 (or 1800) series router?

Anyone with hands on experience with these devices?
 
ASA
Pros: Purpose-built to be a firewall. Typically receives firewall features before IOS-based devices do. ASA supports an IPS module, and the Anti-X Content Services module, neither of which the ISR supports (although it will do IPS in software, but not hardware); these two modules may eventually be supported in the 5505 but are not as of yet. Depending on how you place it in your network, you could keep existing management in place for your WAN router (if your ISP manages it, for example), and only have to deal with the ASA.

Cons: Doesn't support the numerous features that ISR's do, such as: integrated wireless, content engine, voice gateway, WAN modules. Doesn't run IOS, although they look somewhat similar (this can be seen as a plus from a security perspective, though).

ISR
Pros: All-in-one device. Supports WAN and L3 etherswitch modules and a wide range of expansion options. Potentially reduced management overhead by consolidating devices/support contracts.

Cons: Most security features implemented in software, thus performance may not be as great. Many people still subscribe to the 'not putting all your eggs in one basket' theory, but an ISR makes sense a lot of the time in branch offices where you just want one device.

Hope this helps.
 
You will end up paying more for the ISR than the ASA 5505 by the time you add licensing for the various pieces.
 
MorfiusX said:
You will end up paying more for the ISR than the ASA 5505 by the time you add licensing for the various pieces.
Click to expand...

True, but the beauty of the ISR really comes out when you can go into a branch and replace a WAN router, firewall, and switch with one single device. It lowers TCO and simplifies new branch deployments. Plus, the ISR's can use most of the cards that the 17/26/36/37xx series used.
 
Boscoh said:
Plus, the ISR's can use most of the cards that the 17/26/36/37xx series used.
Click to expand...

Except the T1 DSU/CSU card. I found this out the hard way when the ISR routers first came out. :) Don't get me wrong, I really like the ISR routers. We just purchased a loaded 3745 for one of my clients.
 
MorfiusX said:
Except the T1 DSU/CSU card. I found this out the hard way when the ISR routers first came out. :)
Click to expand...

There are some cards they wont work with, and the original version of the WIC-1DSU-T1 is one of them. They will work with the second version (WIC-1DSU-T1-V2) though.

Don't get me wrong, I really like the ISR routers. We just purchased a loaded 3745 for one of my clients.
Click to expand...

I hope you mean 3845 :). 3745 is one of the older MSR's.
 
You must log in or register to reply here.
Back
Top