The Cisco ASA and the Cisco IOS router with Zone-Based Policy Firewall (ZFW) have different default behaviors when it comes to traffic filtering. The Cisco ASA follows a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic1. The Cisco IOS router with ZFW, on the other hand, starts out by allowing all traffic, even on untrusted interfaces, until a zone-pair policy is applied to restrict or inspect traffic2. This means that the Cisco ASA provides a higher level of security by default, while the Cisco IOS router with ZFW requires more configuration to harden the router. However, the Cisco IOS router with ZFW also offers more flexibility and granularity in defining firewall policies, as well as more advanced features such as DMVPN, GET VPN, and Policy-Based Routing, which are not supported by the Cisco ASA23. References:

2: IOS Firewall vs. ASA - Cisco Community

1: Understand the Zone-Based Policy Firewall Design - Cisco

4: What is a functional difference between a Cisco ASA and a Cisco IOS router with Zone-based policy firewall?

5: What is a functional difference between a Cisco ASA and Cisco IOS router with Zone-based policy firewall?

3: Cisco Zone-Based Firewall Reporting – Plixer