Cisco

Cisco administration 101: Learn the difference between PIX and ASA

While Cisco introduced the Adaptive Security Appliance (ASA) in 2005, its PIX firewall is still alive and kicking. Which one is best for your organization's needs? David Davis details each product's offerings and compares the two.

For many years, the Cisco PIX has been the established Cisco firewall. But in May 2005, Cisco introduced a new offering—the Adaptive Security Appliance (ASA). However, the PIX is still available. I've often heard people ask about the differences between these two product lines. Let's take a look.

What is a Cisco PIX?

A Cisco PIX is a dedicated hardware firewall appliance. All Cisco PIX versions have model numbers in the 500s. The most popular model for home offices and small networks is the PIX 501; many midsize companies use the PIX 515 as a corporate firewall.

PIX firewalls run the PIX operating system. While the PIX OS is quite similar to the Cisco IOS, there are enough differences to cause some frustration for users more familiar with IOS.

The firewall sports the PIX Device Manager (PDM) for a graphical interface. This GUI is a Java application downloaded through a Web browser.

Typically, a PIX firewall has an outside interface that connects to the inside of an Internet router and goes to the public Internet. It also has an inside interface that connects to a LAN switch, going to the private internal network.

What is a Cisco ASA?

A Cisco ASA is a new firewall and anti-malware security appliance from Cisco Systems. (Don't confuse this product with what a PIX uses for stateful packet filtering—the adaptive security algorithm, or ASA.)

ASA models are all in the 5500 series. The Enterprise Editions include four versions: Firewall, IPS, Anti-X, and VPN. There's also a Business Edition for small to midsize companies.

In total, there are five models of the Cisco ASA. All run the ASA version 7.2.2 software, and the interface is much like the Cisco PIX. Both the Cisco PIX and ASA models vary in performance, but the ASA's lowest model offers much more performance than the base PIX.

Like the PIX, the ASA can also serve as an intrusion prevention system (IPS) and VPN concentrator. In fact, the ASA could take the place of three separate devices—a Cisco PIX firewall, a Cisco VPN 3000 Series Concentrator, and a Cisco IPS 4000 Series Sensor.

Now that we've covered the basics of each security appliance, let's see how they compare.

PIX vs. ASA

While the PIX is an excellent firewall, the landscape of security has changed over the years. It's no longer sufficient to protect your network with a stateful packet filtering firewall. There are so many new threats to a network—including viruses, worms, unwanted applications (e.g., P2P, games, instant messaging), phishing, and application-layer attacks.

When a device does protect against this variety of threats, we say it offers "anti-X" capability or "multi-threat" protection. But the PIX just hasn't been able to offer this level of protection.

Most organizations don't want to have a PIX performing stateful firewall filtering and some other appliance protecting you from other threats. Instead, they want an "all-in-one" device—or a unified threat management (UTM) device.

The ASA does offer protection from these different types of attacks. It can even be more of a UTM device—however, it needs a Content Security and Control Security Service Module (CSC-SSM) to be a real UTM. This is the module in an ASA that performs the anti-X functions. Without the CSC-SSM, the ASA functions more like a PIX.

So which one is right for your organization? As always, the answer lies with your organization's unique needs. However, I would choose the ASA over the PIX any day. First of all, an ASA typically costs less than a similarly featured PIX. Besides the cost incentive, it just seems like a logical choice to choose the newer and faster technology.

For those who already use the Cisco PIX, Cisco has produced a Migration Guide (PDF) that addresses how to migrate from a Cisco PIX to an ASA. In my opinion, this offering foreshadows Cisco's impending discontinuation of the PIX. While the company has made no announcements to this effect, I think it's only a matter of time.

Remember, we can no longer rely solely on a firewall to protect our organizations from the varied threats of the Internet; a multifaceted approach is now necessary for complete protection. While the ASA is a good choice, it isn't your only option. Many vendors offer products to compare the ASA against before making that choice.

Do you use a PIX or ASA in your organization? Share your experiences in this article's discussion.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

15 comments
Sighei
Sighei

Please could someone help me the two things needed in the two devices (PIX AND ASA) firewall in order to allow traffic to pass from higher security level to a lower level security

IT cowgirl
IT cowgirl

I think this would be ideal for small business. many have no firewall, no VPN solution, no security, and very little anti-spyware/malware protection. This all-in-one device could be the erfect solution. This would be a handy solution and I would trust it because it is a Cisco product. Anyone have an dea of the cost for the basic Busness Edition?

wong.gah.woh
wong.gah.woh

I had deployed both PIX and ASA before just not in the same environment, I have to say if Cisco would only published a good stable version of ASA/PIX IOS code, ASA's would be mainstream next generation hybrid firewall. Plus I have yet to see ASA housing both IPS and CSC within the same appliance. Now that would be great. Still awaiting for the stable IOS code.

georgeou
georgeou

Pix 7.x OS is basically the same as ASA. ASA just adds the nice VPN concentrator plus upgrade option to inline IDS. ASA also has much nicer hardware like dual copper gigabit Ethernet built-in whereas you pay through the nose for that on Pix. I've been running Pix 7.x for more than a year and it's more IOS like and I like it. The new Web UI is less buggy though you still get JRE runtime hell. There's nothing like the CLI though.

CG IT
CG IT

the RVL200 priced at ave $170.00 USD supports multiple DMZ on the switch ports, VLAN support on the switch ports. SPI, 5 VPN tunnels, blah blah. Though a PIX 501 is priced at ave $360.00 USD, it's a bear to troubleshoot ACLs and requires more tech knowledge than the average Geek Squad joe. The RVL200 is a step down but has a lot of features the mid-range firewalls/routers have.

juan.ferreiro
juan.ferreiro

i had deployed two asa 5510 and i think that the works fine, very stable. I the past i worked with pix.compared with asa the pix is obsolete,in my opinion. If you can, use cli, the asdm app is less powerful but works.

djdawson
djdawson

I wouldn't say the PIX hardware sucks, but it is showing it's age. The ASA includes 4 rather than 2 10/100/1000 ports plus a 5th 10/100 management port (except on the low end 5505, which has a built-in 8-port switch), which is nice. Also, the ports now do auto-MDX so you no longer need crossover cables! As for software, the PIX 7.x code images are identical to the ASA 7.x images (the MD5 checksums are the same), with just a couple exceptions in the 7.1(x) versions. The fact that the PIX hardware is much less capable prevents the use of some features that are in the software, such as WebVPN. Other than that, you get all the nice improvements of 7.x on the PIX as you do on the ASA, such as tab-? command completion, the new application layer inspections, and the new ASDM GUI (though I agree that the CLI is generally the better alternative, though the VPN Wizard in ASDM can be quite useful). I also agree that there's no real reason to buy a PIX now that the 5505 is available, since it starts at the same price at the low end and is so much more capable.

gp1200x
gp1200x

By a Netgear FVS338 if you want to get a lower end VPN device....not a Cisco PIX or ASA but much better than Linksys...and it is now guaranteed for life

confused_15
confused_15

I look at Linksys as being more of a home solution then a business one. I do see that there is a defiant cost advantage for a smaller company looking to save some cash, but I don't know how much I would trust them in a mid to large size corporation.

garysh
garysh

I have PIX OS 7.2(2). Can I use this OS for my ASA or I should use special 7.2 OS for ASA?

confused_15
confused_15

Last time I checked the pix 501 and 506e didn't have enough memory to support ver 7.x. Does anyone know if this has changed? I'm pretty sure I had to order a memory upgrade for my Pix 515 to load ver 7.x as well. Just a though.

georgeou
georgeou

Low end ASA has 2 I think. I could be wrong.

djdawson
djdawson

Cisco does not support 7.x on the 501 or the 506, and I doubt they ever will. I've seen reports of people hacking the 506E to get 7.x to run on it, but that's not a supported configuration. The relatively new 5505 fills this space at the low end in the ASA product line, though it's not quite as cheap at the bottom end as the 501. HTH

georgeou
georgeou

That's a good reason never to buy a Pix again in favor of the ASA.

djdawson
djdawson

All the ASA boxes have at least 4 ports. The lower end 5510 only has 10/100 ports (but there are 4 of them, plus one 10/100 management-only port), and the lowest end 5505 has an 8-port 10/100 switch. For the curious here's a URL for a comparison chart at Cisco that shows all the different ASA models: http://www.cisco.com/en/US/partner/products/ps6120/ prod_models_comparison.html Enjoy!

Editor's Picks