The PIX/ASA is a powerful stateful packet-inspection firewall with some basic application-inspection capabilities. One of the nice things about the PIX/ASA firewall is that fundamentally all hardware models run pretty much the same software (with the notable exception being the PIX 501 and PIX 506E, which will not run the newest PIX 7.x software, as discussed in the section "Cisco PIX Firewall and ASA Models"). For the PIX firewall, these features include the following:
These are just some of the features available in the PIX firewall. For a complete listing of features, refer to http://www.cisco.com/go/pix and http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet0900aecd80225ae1.html.
The ASA Security Appliance shares many of the same features as the PIX firewall, as well as a few additional ASA-specific features, including the following:
For a complete listing of features, refer to http://www.cisco.com/go/asa and http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
Choosing Between the PIX and the ASA
One of the first questions to answer when trying to determine what Cisco firewall your environment requires is what the difference between the Cisco PIX Firewall and the Cisco ASA is. The ASA is
The major difference between the Cisco PIX Firewall and the ASA does not lie in the firewall functionality itself, but rather in the additional features that the ASA provides in an integrated solution. Although the PIX can perform some basic IDS functions, it is really not an effective IDS solution in and of itself. The ASA addresses this PIX deficiency by incorporating a fully functional and feature-complete IPS solution as a component of the ASA. In essence, the ASA not only runs the PIX firewall software, it is also capable of running the complete Cisco IPS software to provide an integrated firewall and IPS solution. This is commonly referred to as deep packet inspection. In conjunction with the advanced IPS capabilities, the ASA also provides for content security and control for antivirus, antispam, and antiphishing (commonly referred to as anti-X) scanning through the use of the Content Security Control and Control Security Services Module (CSC SSM). The ASA also supports Secure Sockets Layer (SSL)-based VPN connections and VPN clustering to provide for load balancing of VPN
So the question of whether you should select a PIX or an ASA comes down largely to whether you need the additional functionality of the ASA, because fundamentally they both provide the exact same basic firewall functionality. If you do need the additional IPS functionality that the ASA provides, or think you will in the near future, the ASA is the appropriate choice. If you do not, the PIX firewall is the appropriate choice.