The PIX/ASA is a powerful stateful packet-inspection firewall with some basic application-inspection capabilities. One of the nice things about the PIX/ASA firewall is that fundamentally all hardware models run pretty much the same software (with the notable exception being the PIX 501 and PIX 506E, which will not run the newest PIX 7.x software, as discussed in the section "Cisco PIX Firewall and ASA Models"). For the PIX firewall, these features include the following:
Failover functionality whereby two PIXs can provide high-availability services to a network. This functionality is only supported in PIX 515E or larger firewalls and is supported in both active/passive or active/active (for PIX software 7.x or newer) modes of operation.
Zero-downtime software upgrades.
DHCP server. The PIX now has a built-in DHCP server to provide address allocations for remote office or branch offices.
Object grouping. Administrators can now group network objects (such as devices, networks, and services) into logical groups to simplify access control list (ACL) definition and maintenance.
ACLs for controlling traffic access both inbound and outbound. The PIX can also "precompile" the ACLs using turbo ACLs, which provides for enhanced performance.
Command-level authorization for role-based access control.
Network Address Translation (NAT)both unidirectional as well as bidirectional to support overlapping private address ranges.
Network Time Protocol (NTP) support for clock synchronization to a time server.
Simple Network Management Protocol (SNMP) monitoring with CPU monitoring using SNMPv2.
Virtual firewall services (PIX software 7.x).
Layer 2 transparent firewall (PIX software 7.x).
Software and configuration updates via HTTP and HTTPS.
HTTPS-based command-line interface (CLI) access.
VPN services providing both LAN-to-LAN and remote-access VPN services.
PPP over Ethernet (PPPoE) support for users connecting the PIX to an xDSL interface (not supported in PIX software 7.x).
Quality of service (QoS) (PIX software 7.x).
Tunneling application control to block and prevent applications that tunnel through web application ports such as instant messaging, peer-to-peer file share, and other applications such as GoToMyPC.
Secure Shell Version 2 (SSHv2) and SNMPv2C (PIX software 7.x).
Multicast support for multimedia applications.
Port Address Translation (PAT) for H.323 and Session Initiation Protocol (SIP) for voice applications.
Deep packet inspection for services such as HTTP, FTP, Extended Simple Mail Transfer Protocol (ESMTP), and more.
Intrusion detection signatures for packet inspection.
The ASA Security Appliance shares many of the same features as the PIX firewall, as well as a few additional ASA-specific features, including the following: