topic Re: Zone based firewall setup in Network Security

Zone based firewall setup

AZKhan — Tue, 10 Dec 2019 06:32:30 GMT

Hello everyone,

I have Cisco ASA 5525-X with following images

asa922-4-smp-k8

asdm 7.2(2)1

asasfr-5500x-boot-5.4.0

I need to deploy the firewall in Datacentre environment. For this purpose , i want to create zones/zone pairs and assign interfaces to different zones, and apply bi-directional policies to control traffic. With my past experience of Juniper Netscreen/SRX firewalls , doing all this was so simple and straight forward. But i am unable to find any commands relevant to Zone based configuration in my current setup. Do i need image upgrade or something else?

Re: Zone based firewall setup

Seb Rupik — Tue, 10 Dec 2019 07:36:30 GMT

Hi there,

The cisco equivalent Zone Based Firewall is a feature found on cisco routers not ASAs.

The ASA uses the concept of security level (0 - 100) applied to routed interfaces. There is an implicit permit of traffic from a higher level to a lower level in the absence of ACLs. On an SRX you would group IRBs under the same zone, on an ASA something similar could be achieved by having a set of SVIs all have the same security level and configuring same-security-traffic permit inter-interface .

cheers,

Seb.

Re: Zone based firewall setup

AZKhan — Tue, 10 Dec 2019 16:36:26 GMT

@Seb Rupik , Thanks for reply. Someone have suggested me to follow the given below link, which shows that Zones could be configure in ASA.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.3

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/interface-zones.html#65622

Visiting this link and going through all the config, i haven't found even these commands on my ASA 5525X.

I am really confused, what to do now?

Re: Zone based firewall setup

Rob Ingram — Tue, 10 Dec 2019 17:14:18 GMT

Hi,
This link refers to traffic zones within ASA code. This allows you to assign multiple interfaces to a traffic zone, which lets traffic from an existing flow exit or enter the ASA on any interface within the zone. Zones on the ASA does not work the same as they do on Juniper firewalls.

If you are licensed to run FTD code on the ASA hardware, the FTD does allow you to assign interfaces to security Zones, you can then use the zecurity zones within the Access Control Policy. This would be similar to configuring Juniper firewalls.

HTH

Re: Zone based firewall setup

AZKhan — Wed, 11 Dec 2019 06:38:15 GMT

Oohh, It mean mine ASA is just a box, cannot use it as a firewall at all. Even the security Zones config need licenses. As compare to Juniper Netscreen/SRX and Fortinet Fortigate, its not gonna help in creating security zones.

Will FTD replace the current ASA image? or it will run in parallel and just increase the security capabilities of the ASA?