> Hello, > > I was wondering if there is any difference between a pix firewall and > the firewall ios. I have a 2801 router that I would like to buy the > firewall ios for instead of putting in a pix firewall. Does the > firewall ios have all of the features of the pix box? I'm currently > using the router for nbar inspection, route-mapping and natting a few > internet connections. Will this all still work on the firewall ios? > > Thanks, > Dan. >
Hello, there are many pros and cons for both boxes. Basically the routers seem to be more flexible for making some things work, eg. you can create a GRE over IPsec tunnel so that you can represent a remote site connecting to you via a logical interface where you can specify ACLs etc. On the other side PIX (currently ASA), seem to have more security features and knobs embedded. eg object-groups, dce-rpc inspection etc. Obviously everything reminds the CatOS vs IOS except that the battlefield is IP security. I think that since you already have a router to do the "dirty job", I would go for an ASA. If you didn't have a box at all, I would go for the router. But everything depends on the network design you wish to deploy and the time you have to read the manuals and maintain one more network device. By the way. It would be really nice if "service object-groups" included the protocol. eg: object-group service remoteaccessvpn service-object proto esp service-object proto udp src-port 500 dst-port 500 service-object proto udp dst-port 4500 service-object proto tcp src-port gt 1023 dst-port 443 maybe it would be nice to add there the inspection type we prefer also, although I haven't thought yet of the pros & cons versus policy-map/class-map style: service-object proto tcp src-port gt 1023 dst-port 2121 inspect-type ftp Best Regards, John Kougoulos _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/