01-24-2024 12:51 AM
hi,
I need to implement one zone on asa withe several interfaces and no zones. I need to put two interfaces into that new zone. Will implementing this zone in any way break traffic toward other interfaces?
br
01-24-2024 12:57 AM
Can you more elaborate
What platform you have fpr ftd ? Or asa?
Thanks
MHM
01-24-2024 12:58 AM
asa
01-24-2024 01:07 AM
As I know there is secuirty level
You can put interface in same secuirty level and permit intra and inter interface
This allow traffic between interface to pass without need acl.
If new interface have secuirty level different than old interface then sure you need acl.
MHM
01-24-2024 01:19 AM
but traffic bwtween interfaces should flow, respecting ACL of course, regadless of zone they are mebers of? One is in the zone and others are not member of any zone?
01-24-2024 01:23 AM - edited 01-24-2024 02:04 AM
Friend there is no zone secuirty
If old interface in same secuirty level with new then traffic flow no need acl (need only permit intra and inter)
If the there is different in secuirty level' you need ACL.
MHM
01-24-2024 01:27 AM
@DraganSkundric87318 zones are only used on the ASA for ECMP (equal cost multi path) routing, you cannot not apply security controls (ACLs) based on the security zone. So normal ACL and security levels apply.
01-24-2024 01:53 AM
I agree with @Rob Ingram, if you are referring to the traffic zone then I would say the ASA traffic zone concept has nothting to do with some other vendors security zones concept such as Palo Alto for example. The traffic zone on the ASA could mainly be used to workaround some asymmetric routing scenarios and to allow some load balancing across multiple interfaces within a traffic zone which usually you can't do without a traffic zone. However, even with a traffic zone, the ACL and NAT for example will still be applied per interface basis, not per traffic zone basis.
01-24-2024 01:59 AM
@DraganSkundric87318 dont confuse
Traffic zone is different than secuirty zone.
Traffic zone is another long story.
MHM
01-24-2024 02:21 AM
I need to implement zone because of ECMP and just want to know if it will somehow negativelly impact existing traffic flow
01-24-2024 02:26 AM
thanks for clarify
if you use Zone traffic then you need to make all interface in that traffic Zone in same security level
and then as I mention before check the security level with other interface and use ACL if needed
The first interface that you add to a zone determines the security level of the zone. All additional interfaces must have the same security level. To change the security level for interfaces in a zone, you must remove all but one interface, and then change the security levels, and re-add the interfaces.
01-30-2024 02:19 AM - edited 01-30-2024 02:21 AM
ok, and now .... another problem. I can create zone but cannot add interfaces to it .... I have this message on ASDM
threat detection is enabled no interface can be associated with traffic zone
and threat detection is turned off. !?!?!?
or is it not?
no threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
01-30-2024 05:52 AM
Basic thread-detection is disabled, but threat-detection statistics is enabled and ASDM doesn't like it. Threat-detection statistics can be quite helpful though as ASDM uses it for graphs on the firewall dashboard.
Be careful when assigning zone to an interface: this can remove static routes on the interface (CSCuu43360). This is documented: When you add an interface to a zone, all static routes for those interfaces are removed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide