So far so good, a couple of months ago I have successfully passed 642-618 FIREWALL exam, my first step to CCNP Security. 4 months of experiments with ASA preceded the exam, during this practice I always wondered which is better: IOS router or ASA, what are the differences between them, in which circumstances should we use one or another. As a result, I wrote this short list of their pros and cons, which I noticed during my research.
- Global ACL - ASA has them, IOS not, sometimes I find them very convenient
- Object oriented approach in ASA, you can name all objects (nets, hosts, ports), you can create object groups, for instance multiple ports.
- Packet tracer in ASA - it is possible to simulate the packet passing through the device and see what stopped it
- ASDM for ASA and CCP for IOS, can't say which is better
- Packet capture - although IOS has this feature either, it seems to me ASDM version in ASA is more convenient and sophisticated
- Advanced Level 5-7 application inspection - ASA can do this staff, IOS does not. For instance, it can be helpful for restricting TRACE HTTP method
- Advanced NAT - NAT on ASA is absolutely controllable, I consider it more convenient than on IOS
- Failover - there is a failover functionality in ASA: active/passive, active/active and clustering
- Modular policy framework - one of the main ASA features, this instrument allows to do practically everything with traffic
- SCP server - ASA can act as an scp server
- Convenient CLI - ASA supports grep, it is not necessarily to use DO before exec commands in configuration mode
- TCP advanced options - ASA allows to control options of TCP flow such as adding or removing 19 option or preventing SYN flood attacks or TCP state by pass
- ASA can filter Botnet traffic
- ASA does not support DMVPN and GRE tunnels
- ASA does not support Policy Base Routing
- ASA has a cut through proxy - we can authenticate users before allowing traffic
- No wild cards!!! :) on ASA
- No Telnet and SSH client on ASA
- There are security levels on ASA interfaces for initial fast control of access between networks
- There is inspection of TCP and UDP turned on by default on ASA, it is very convenient
- On ASA real IP address is used in ACLs, not mapped one
- Transparent firewall mode in ASA - switch combined with firewall :)
- Virtual firewall - many firewalls in one box, however there are some restrictions: in multiple mode you can't use VPNs and routing protocols.
