cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
927
Views
4
Helpful
12
Replies

asa zones

hi,

I need to implement one zone on asa withe several interfaces and no zones. I need to put two interfaces into that new zone. Will implementing this zone in any way break traffic toward other interfaces?

br

12 Replies 12

Can you more elaborate 

What platform you have fpr ftd ? Or asa?

Thanks

MHM

asa

As I know there is secuirty level 

You can put interface in same secuirty level and permit intra and inter interface 

This allow traffic between interface to pass without need acl.

If new interface have secuirty level different than old interface then sure you need acl.

MHM

but traffic bwtween interfaces should flow, respecting ACL of course, regadless of zone they are mebers of?  One is in the zone and others are not member of any zone?

Friend there is no zone secuirty 

If old interface in same secuirty level with new then traffic flow no need acl (need only permit intra and inter)

If the there is different in secuirty level' you need ACL.

MHM

@DraganSkundric87318 zones are only used on the ASA for ECMP (equal cost multi path) routing, you cannot not apply security controls (ACLs) based on the security zone. So normal ACL and security levels apply.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa920/configuration/general/asa-920-general-config/interface-zones.html?bookSearch=true

 

I agree with @Rob Ingram, if you are referring to the traffic zone then I would say the ASA traffic zone concept has nothting to do with some other vendors security zones concept such as Palo Alto for example. The traffic zone on the ASA could mainly be used to workaround some asymmetric routing scenarios and to allow some load balancing across multiple interfaces within a traffic zone which usually you can't do without a traffic zone. However, even with a traffic zone, the ACL and NAT for example will still be applied per interface basis, not per traffic zone basis.

@DraganSkundric87318 dont confuse 

Traffic zone is different than secuirty zone.

Traffic zone is another long story.

MHM

I need to implement zone because of ECMP and just want to know if it will somehow negativelly impact existing traffic flow

thanks for clarify 

if you use Zone traffic then you need to make all interface in that traffic Zone in same security level 

and then as I mention before check the security level with other interface and use ACL if needed 

from cisco doc.
Security Levels

The first interface that you add to a zone determines the security level of the zone. All additional interfaces must have the same security level. To change the security level for interfaces in a zone, you must remove all but one interface, and then change the security levels, and re-add the interfaces.

ok, and now .... another problem. I can create zone but cannot add interfaces to it .... I have this message on ASDM 

threat detection is enabled no interface can be associated with traffic zone

and threat detection is turned off. !?!?!?

 

or is it not? 

 

no threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept

 

Basic thread-detection is disabled, but threat-detection statistics is enabled and ASDM doesn't like it. Threat-detection statistics can be quite helpful though as ASDM uses it for graphs on the firewall dashboard.

Be careful when assigning zone to an interface: this can remove static routes on the interface (CSCuu43360). This is documented: When you add an interface to a zone, all static routes for those interfaces are removed.

 

 

Review Cisco Networking for a $25 gift card