What to put on the perimeter of the network: Cisco router or Cisco ASA?

Hello! Periodically, when designing computer networks based on Cisco equipment, the question arises as to what to put on the network perimeter: a router or an Adaptive Security Appliance (ASA) firewall? It is not always possible to unequivocally answer this question. I would like to once again make an attempt and make a small comparison of these two devices. You will notice that this has already been discussed many times. I agree. But devices are constantly evolving: new models appear, functionality is added. Therefore, sometimes it is worth moving away and looking again at the question. Suddenly something changed?


We all know that the Cisco ASA is a security appliance and is usually referred to along with the abbreviation ME (firewall). The Cisco router is primarily a router. Oh, like he said. Actually, that's the difference. But everything is not so simple: Cisco ASA can route traffic (even supports dynamic routing protocols), and Cisco router can perform ME functions (two technologies are supported - CBAC and ZFW). I feel, as the author flew towards the phrase: yes, the captain is obvious, you are right. Therefore, I propose to take a closer look at these devices in order to determine what they have in common and what is different.
')

Historically, the ASA has advantages over the router only in a number of technologies, primarily related to security (classic firewall and VPN concentrator for connecting remote users). In all other respects, the ASA acts mainly as a catch-up. This is due to the fact that the ASA is positioned as a security tool, and the Cisco router as a universal Swiss knife (based on it we can launch encryption functions, voice functions, optimize traffic, etc.). Therefore, the question of choosing a device arises only in the context of the issue of network security.

At first glance, for the implementation of such a task as providing a secure office connection to the Internet, both devices provide everything you need:

• there is a routing (static, dynamic, PBR), as well as the function of NAT address translation;
• you can have two or more providers (IP SLA, BGP is supported);
• firewall functions are present.

If necessary, on both devices you can raise VPN (site-to-site and remote-access). Everywhere there is support for Netflow, to get statistics on traffic. If you need the features of the NG FW (new generation ME) or NG IPS (new generation intrusion prevention system) both on the ASA and on the router, we can do it. Thus, in general, both devices have relatively similar functionality (once again I note that we are talking only about traffic routing technology and security). Moreover, periodically the functionality of one of the devices smoothly flows into the other. This introduces additional difficulties with the choice of solutions. For example, the enhanced SSL VPN features have always been the prerogative of the ASA. But over time, many SSL VPN functions appeared on the router (clientless mode, smart tunnels, etc.). The ability to capture packets on interfaces (packet capture) has also been supported for a long time only on the ASA. A similar situation is with the use of various designs when configuring ACLs. We are talking about objects (Object Groups), which allow to group IP-addresses / networks, services in the network. All this smoothly passed to the OS of the router. Similarly, the situation is reversed: support for the BGP protocol appeared on the ASA, policy-based traffic routing - Policy Base Routing, etc. Therefore, the choice in favor of one or the other solution is not always predetermined. As usual, the devil is in the details.

Since the ASA is a narrower solution, we will try to make our comparison regarding it. ASA is positioned as a security device, so many security features work out of the box. By default, the Cisco ASA “tightens all the nuts”, while on the router you need to enable security features (configure MEs from scratch, disable extra services, etc.). Let's go through the main functions of the ASA:

• NAT address translation functions. On the ASA, there are all possible variations (static and dynamic NAT, PAT), including double (twice NAT). It is possible to influence the procedure for applying the rules of NAT. In this regard, the ASA is superior to the router.
  
  
• Classic firewall with in-depth analysis of protocol content, as well as the threat detection function (scanning and DoS attacks). As a firewall, the ASA can operate in two modes: routable and transparent (Transparent Firewall). ASA can also operate in multiple contexts mode (virtual firewalls, multiple context) or in single context mode. The main differences from the router: in the ASA, the basic ME functions are enabled by default, the ME is more functional (for example, Identity Firewall allows you to provide access based on user names or groups in MS Active Directory), while its configuration is more intuitive. The router tries not to lag: it provides the work of the FEM in two modes (routed and transparent), and instead of contexts, it supports the functionality of Virtual Routing and Forwarding (VRF). However, by setting up a Zone-Based Policy Firewall (ZFW) on the router, you can easily get confused with creating policies for each pair of interfaces, configuring classes, access lists and connecting them in a configuration. It is also necessary not to forget about the rules of self-zone and the interaction of ZFW with remote-access VPN (virtual template interfaces appear here so that the security zone can be attached). In general, there is where to make a mistake turn around.
  
  
• Cisco Firepower new generation firewall (NG FW) - context-sensitive security, application control for users and groups, WEB filter with reputation check, retrospective file analysis, etc. To run Firepower services on ASA, you need an SSD drive (new models always Comes with a built-in SSD drive: ASA 5506-X, 5508-X and 5516-X). Until recently, Firepower services were not available on routers. However, it is now possible to run them on a universal blade server (for example, UCS E-Series Servers or Cisco UCS E-Series Network Compute Engines), which can be installed directly into the router. It should be borne in mind that getting a relatively budget option based on the router will not work: a minimum of 1921 and a UCS EN120E blade server will be required.
  
  
• Cisco Firepower New Generation Intrusion Prevention System (NG IPS). As we remember, earlier the IPS feature on the ASA was implemented as a separate module, and later became available as a virtual blade (a la virtual machine). But after the acquisition of SourceFire, the traditional IPS was sent on the fly, and the Cisco Firepower NG IPS came to replace it. In terms of hardware requirements, they are similar to the NG FW solution. Note: on one device, we have the ability to run both NG IPS and NG FW services simultaneously.
  
  
• VPN for connecting remote workers - there are several types of ASA:
  
  • AnyConnect VPN Client — SSL or IPSec IKEv2 tunnels using the AnyConnect Secure Mobility Client. Most modern PC platforms and mobile devices are supported. Optionally integrated with services and services Cloud Web Security, Host Scan, 802.1x.
    
  • Clientless SSL VPN - access to applications is provided through the web portal, or port forwarding is provided through the thin client (Java applets / Active-X script) and SSL VPN Smart Tunnels.
    
  • Remote Access IPsec VPN and L2TP over IPsec (IKEv1) - any IPSec or L2TP client (for example, Microsoft Windows) can act as a client.
    
  • Easy VPN - IPSec IKEv1 tunnels. Previously, this solution was actively used to connect remote users through the Cisco VPN Client. Now the Cisco VPN Client is dead, and only the mode remains, in which a hardware device acts as a remote client.
  
  The router is inferior in functionality in terms of working with the AnyConnect VPN Client and Clientless SSL VPN. For example, the Host Scan module is not supported — assessing the status of the client being connected (OS version, antivirus, client ME, etc.). There are no dynamic access policies (DAP). DAPs allow us to apply various access policies (for example, to provide access only to certain resources) based on authorization data or data obtained when assessing the status of a connected client. Java applets / Active-X scripts are not supported in Clientless SSL VPN mode, etc. Note that the Cisco 4000 routers currently do not have SSL VPN at all. True, there is support for AnyConnect IKEv2.
  
  
• Fault tolerance and clustering. ASA redundancy is provided by failover or clustering functions.
  
  In fault tolerance mode, two devices are combined into one logical one. Data from one device is replicated to the second to ensure that the state of all sessions is maintained when one of them fails. Two modes of operation are available: active / standby (with a single context) and active / active (in multiple contexts mode). Failsafe mode is convenient because after combining two devices, you need to configure only one device - the active one.
  
  The second mode, clustering, allows combining up to 16 ASA devices into one logical device. It is necessary to make a reservation that in a cluster of 16 devices, we can only merge at the moment ASA 5585-X. For other models, only two devices are combined in a cluster. Clustering provides redundancy of devices, a single point of control (all devices are combined into one logical one) and increased performance (we are talking about the fact that we get one virtual device with a higher performance than one physical device).
  
  And what about routers? There are no failover and clustering functions. Fault tolerance is provided by the appropriate setting of each protocol and function. For traffic routing, the settings will be different, for MEs, and for VPN - own. Failover on the ASA in this regard is more convenient: I combined the devices and then configured everything from one console, as if we had one. With a router, this does not work out.
  
  
• Routing - static, dynamic (EIGRP, OSPF, BGP), traffic routing based on policies (PBR), multicast traffic routing (PIM). In this regard, the ASA has made a big step forward. Not so long ago, BGP and PBR were the prerogative of only routers. But in terms of routing, there are certain “buts”. First of all, not everything works as it should (small glitches periodically skip over), plus there are limitations and nuances for each routed (EIGRP / OSPF / BGP). It is better to once again look into the documentation. For example, the ASA when working with BGP is not designed to handle the full Internet routing table (full view). Secondly, there are no GRE / VTI logical tunnel interfaces on the ASA. So, there will be difficulties with the implementation of tunnels through public networks. Of course, the router in this aspect significantly exceeds the ASA in functionality. Who would actually doubt. It is also worth noting that the routing of traffic to the ASA in some aspects differs from the similar process on the router. What exactly, consider next.
  
  
• Site-to-site VPN. ASA only supports pure IPSec. You can configure it in conjunction with the L2TP protocol. But it does not give us big advantages. Since there are no GRE interfaces, we cannot implement the IPSec + GRE bundle either. In this regard, the router is much more functional: IPSec + GRE, VTI, DMVPN, GET VPN, FlexVPN, etc. A separate issue is ensuring a fault-tolerant VPN connection. Since we have pure IPSec, we only have the ability to specify several peers in the crypto map and use the OSPF + IPSec bundle. When specifying several peers in a crypto card on the ASA, we immediately encounter the fact that there is no preemption there (that is, after the main peer is restored, the VPN connection does not switch to it). This means that it is not always possible to clearly determine through which providers our VPN is now working (this situation is aggravated when we have several providers on each side). Of course, this problem can be circumvented, but not always in an elegant way (for example, by forcibly breaking an IPSec connection using the Embedded Event Manager). The operation of the OSPF + IPSec bundle also has its own specifics: on both sides of the tunnel, there should be only ASA devices. Make a bunch of ASA-router will not work. In addition, a document describing work in this mode has disappeared from the vendor’s site. This leads to certain thoughts. Oh, how not enough GRE-tunnels on the ASA ...
  
  
• Quality of Service (QoS). ASA settings in this regard are quite limited. In fact, we can make several queues and apply either a priority property to each queue or assign a policer. Packets in the priority queue will be sent by the device to the network first. The limiter (policer) allows the queue to specify the maximum rate at which packets from it will be transmitted. In terms of QoS, the router is more functional.
  
  
• Control. The ASA command line is different from the router command line. The difference is not fatal, but there is. The configuration of some functions, for example, NAT, differs especially.
  
  ASA has a very good WEB-interface - Adaptive Security Device Manager (ASDM). It is fully functional and it is recommended to configure a number of functions through it (for example, SSL VPN), since there are quite convenient helpers (wizard). As we know, the WEB-interface of routers (Cisco Configuration Professional) leaves much to be desired.
  
  Not so long ago, support for the Embedded Event Manager appeared on the ASA, which allows for partial automation. On the router, this functionality is present for a long time.

This is where the main ASA functionality is almost exhausted. I would also like to note on the ASA a fairly convenient utility - packet-tracer. It allows you to conduct a primary diagnosis of the passage of the package through the device. Packet-tracer displays information on each stage of packet processing inside the device. I assume that the lack of packet-tracer on the router is due to the fact that the router is much more functional.


Let us touch on a bit of the architectural features of the software and hardware parts. Immediately, we note that the program code of the ASA and the router is completely different. Therefore, some processes are implemented in different ways.

For example, routing. The ASA is not familiar with Cisco Express Forwarding (CEF) routers. It uses its own logic: the route is defined for the session once it is established (something like fast-switching). We can say that the router operates with packets, and the ASA with sessions. NAT can influence the routing in the ASA (or rather, NAT in some cases determines where the packets of a particular session will be sent). On routers there is no such thing, the routing table or PBR is “driving” everything. When switching routing from one interface to another on the ASA, the session will not always be redeployed (it can remain working on the old interface). For each session, the ASA remembers not only the outgoing interface (that is, where to send it), but also the inbound interface (where the packets originally came from). This feature of the work is most pronounced when we have several providers (connected via static routing) and there are some publications on them. In the case of the ASA, the response packets will always go through the provider through which the request came. Those. All publications will be working. In the case of a router, the response packets will go through the default provider. Those. only on one provider will the publications work (this behavior can be circumvented by dancing with a tambourine: VRF + BGP).

Let's now look at performance. Of course, it is very difficult to compare devices by this parameter, as the measurement technique for each type of device may differ, and the marketing department does not sleep. Plus performance depends on the services that are running on the device. But still try to note a few points. Previously (for older ISR and ISR G2 models), routers were inferior in price / performance ratio (both in numbers and in experience). For example, with a similar cost of ISR G2 2921-SEC and ASA5512-X, the first device provided 50 Mbit / s (the vendor recommends this number), and the second in the worst case 100 Mbit / s (Application Control, HTTP packets 440 bytes). Maybe not quite an exact comparison, but for a rough estimate, I hope, will do. For the same money, ASA often gave us greater performance. But with the advent of 4000 routers, the picture has changed. Now you need to look at each individual case. This is due to the fact that on the 4000 routers performance is not so much degraded when you turn on services.

Conclusion

It's time to take stock and answer the question set in the article's title. There are recommendations vendor on this account, decorated in the form of various designs within the Cisco SAFE architecture. But not always we build some kind of complex networks, where there are all kinds of devices that perform the functions most suitable for them. For example, we use ASA with Firepower services as a ME device, and routers to connect to the WAN channels. Often there are situations when you need to put one thing (the reason may be the most trivial - the budget). And here we have to think about what to choose.

Case 1. A relatively small company with one office. It is necessary to provide secure access to the Internet (one or two providers are used).


In this situation, the ASA solution may look more interesting for the following reasons:

• ASA functionality is sufficient for the implementation of the task;
• based on the ASA, you can start Firepower services to get the NG FW and NG IPS functions (the total cost will be lower than if you use the bundle router + module + Firepower services);
• if it is necessary to ensure connection of remote users to the corporate network, ASA will provide the most extensive opportunities;
• In some cases, we will get better performance of the device for the same money.

Case 2. There is a central and remote office (s). What to put in a remote office?

I think many already understand that site-to-site VPN is not the strongest side of ASA. If we have many offices, several providers and need full mesh (direct connectivity of all offices), it is better to use routers for this task. Only DMVPN technology will remove most of the headache. In the central office in this case should also be a router.

If we have one provider everywhere and there are not so many offices, the ASA is fine. Moreover, the solution may be cheaper than a similar one based on routers. But do not forget that today there is one provider, and tomorrow there are two, and the company can grow a little. Of course, on the ASA in a remote office, you can configure a backup VPN to the central office, using two providers in the center. There are just too many “buts” that can spoil the reputation of such a decision. They, of course, the vendor is trying to remove, but so far these "but" have to be taken into account.

To summarize, ASA is great for tasks such as firewalling and remote-access VPN. If we can afford to put this device to address only these issues, it is worth it. If it is necessary to get a mixture of functions in one “box”, you may need to look at the router.

If you have your thoughts about the question in the title of the article, welcome to the comments.

UPD:
The article states that the routers do not have a similar packet-tracer function as on the ASA. This statement is not entirely correct. IOS XE features similar functionality - Datapath Packet Trace.