cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
438
Views
0
Helpful
1
Replies

ASA service-policy beetween zones

sherbinasergey
Level 1
Level 1

Hello,

In Zone Based Firewall (ZBS) on ISR routers there is the feature "zone pair". It is very convenient to set up different policies between different zones and its directions (e.g. INSIDE-DMZ, OUTSIDE-DMZ, DMZ-OUTSIDE, INSIDE-OUTSIDE and so on).

In Cisco ASA, which should be more specific device for such purposes, we have "nameif" definition, which is similar to "zones" in IOS. But in ASA we cannot assign policy to NAMEIF-pairs and directions, instead of this we must keep in mind only Feature Directionality and its not flexible.

Furthermore, in ASA we cannot assing NAMEIF to several interfaces or vlans, like ZONES on L2 and L3 interfaces on ISR.

What are the solutions to bypass these inconveniences?

1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Sergey,

The ASA is not flexible????

What... It's way too flexible,

If you want to assign the same nameif value to more than one interface (you will need to use something like redundant interfaces or a port-channel) but is not what you are looking for,

The ASA is a security device and will let you to create policies based on any of your requirements, there is no such zone concept because we have the ability to create our own polices without the restriction of MUST have a zone-pair.

We have the security level purpose for that ( a dynamic way to make everything easier.)

But I do agree with you.. The router is way more flexible (as a firewall and routing device),

The only thing I see the ASA being better is in troubleshoting purposes

Let me know what you think and also remember to rate all of the helpful posts, that motivate us to keep responding

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card