Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1653
Views
0
Helpful
3
Replies

FMC: Security Zones and Interfaces on ASA Failover Pair

Go to solution
swscco001
Level 3
Level 3

‎04-20-2021 12:52 AM - edited ‎04-20-2021 12:59 AM

Hello everybody,

I have just setup my first FMC (6.6.1) for a ASA Failover Pair (9.8(2)20)
with Firepower modules (6.6.1).

At the moment still no traffic will be handled by the module (neither
"sfr fail-open" nor " sfr fail-open monitor-only" is currently configured
in the policy-map under "class sfr".

The are still no zones in the FMC and I want to know how you would proceed
with creating zones.

Attached you find the zones on the ASA.

Do you put the interfaces with the same security level in the same zone,
or is there a better model? For example the outside interfaces on primary
and secondary ASA in the outside zone (see attached)?

Every hint is welcome!

Thanks a lot!

 


Bye
R.

Preview file
42 KB
Preview file
91 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to swscco001

‎04-20-2021 03:17 AM

Hi,

Zones and security levels in ASA and Zones in Firepower are two separate things, although they are similar to each other.  Security levels on the ASA are used in absence of access lists on an Interface to define which interface is "more trusted", once you apply an access list to an interface the security levels have no meaning other than a visual representation of that trust.  Zones in Firepower, however, are used to group interfaces together.  How they are grouped is up to the administrator, but as I mentioned earlier I tend to group the interfaces together based on the services or functions that are provided.  You would still need to apply access lists to allow traffic, but it adds an extra layer of security when you reference the Zone in the access list.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marius Gunnerud
VIP
VIP

‎04-20-2021 02:30 AM

My normal "go to" is to create zones based on functions.  So Internet goes in the outside zone, local lan goes in the inside zone, branch offices goes in another zone (for example branch_office or dmz-2), servers go in yet another zone (for example dmz).

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
swscco001
Level 3
Level 3
In response to Marius Gunnerud

‎04-20-2021 02:44 AM

Hi Marius,

 

thanks for the reply!

I have searched for a 'how to' but could not find any.

I thought the security zones at Firepower are the equivalent to the security levels at the ASA. That's why I want to create the zones
according to the security levels.

Thanks a lot!

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to swscco001

‎04-20-2021 03:17 AM

Hi,

Zones and security levels in ASA and Zones in Firepower are two separate things, although they are similar to each other.  Security levels on the ASA are used in absence of access lists on an Interface to define which interface is "more trusted", once you apply an access list to an interface the security levels have no meaning other than a visual representation of that trust.  Zones in Firepower, however, are used to group interfaces together.  How they are grouped is up to the administrator, but as I mentioned earlier I tend to group the interfaces together based on the services or functions that are provided.  You would still need to apply access lists to allow traffic, but it adds an extra layer of security when you reference the Zone in the access list.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card