Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1481
Views
0
Helpful
4
Replies

Zone based firewall setup

AZKhan
Level 1
Level 1

‎12-09-2019 10:32 PM

Hello everyone,

I have Cisco ASA 5525-X with following images

asa922-4-smp-k8

asdm 7.2(2)1

asasfr-5500x-boot-5.4.0

 

I need to deploy the firewall in Datacentre environment. For this purpose , i want to create zones/zone pairs and assign interfaces to different zones, and apply bi-directional policies to control traffic. With my past experience of Juniper Netscreen/SRX firewalls , doing all this was so simple and straight forward. But i am unable to find any commands relevant to Zone based configuration in  my current setup. Do i need image upgrade or something else?

 

Labels:
0 Helpful
4 Replies 4

Seb Rupik
VIP Alumni
VIP Alumni

‎12-09-2019 11:36 PM

Hi there,

The cisco equivalent Zone Based Firewall is a feature found on cisco routers not ASAs.

 

The ASA uses the concept of security level (0 - 100) applied to routed interfaces. There is an implicit permit of traffic from a higher level to a lower level in the absence of ACLs. On an SRX you would group IRBs under the same zone, on an ASA something similar could be achieved by having a set of SVIs all have the same security level and configuring same-security-traffic permit inter-interface .

 

cheers,

Seb.

0 Helpful

AZKhan
Level 1
Level 1
In response to Seb Rupik

‎12-10-2019 08:36 AM

@Seb Rupik , Thanks for reply. Someone have suggested me to follow the given below link, which shows that Zones could be configure in ASA. 

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.3

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/interface-zones.html#65622

 

Visiting this link and going through all the config, i haven't found even these commands on my ASA 5525X. 

I am really confused, what to do now?

0 Helpful

Rob Ingram
VIP
VIP
In response to AZKhan

‎12-10-2019 09:14 AM

Hi,
This link refers to traffic zones within ASA code. This allows you to assign multiple interfaces to a traffic zone, which lets traffic from an existing flow exit or enter the ASA on any interface within the zone. Zones on the ASA does not work the same as they do on Juniper firewalls.

If you are licensed to run FTD code on the ASA hardware, the FTD does allow you to assign interfaces to security Zones, you can then use the zecurity zones within the Access Control Policy. This would be similar to configuring Juniper firewalls.

HTH
0 Helpful

AZKhan
Level 1
Level 1
In response to Rob Ingram

‎12-10-2019 10:38 PM

 

Oohh, It mean mine ASA is just a box, cannot use it as a firewall at all. Even the security Zones config need licenses. As compare to Juniper Netscreen/SRX and Fortinet Fortigate, its not gonna help in creating security zones. 

Will FTD replace the current ASA image? or it will run in parallel and just increase the security capabilities of the ASA?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card