Solved: Re: Zone-Pain depreceated in ASA Firepower?

oscardenizjensen · ‎12-21-2023

Hej
I am trying to configure ASA FPWR 1150 (Version 9.16) with Zone based security.

I have been trying to find CLI based examples for it but all of them seems to be for IOS based. I can create a zone and apply interfaces to a Zone. However, the "zone-pair" command does not exist, and I can not figure out which command accomplishes it in FPWR.

Appreciate the help
regards

Rob Ingram · ‎12-21-2023

@oscardenizjensen no DMZ traffic will not be blocked, you define the direction (in/out) of the interface - generally just "in". So if you permit any inbound on the outside interface, egress will be permitted to the inside or DMZ. You must explictly permit the traffic, deny what you do not want or rely on the implicit deny at the end of the ACL.

If you run the FTD image on your hardware instead of the ASA image, then this does use zones instead of the security levels.

View solution in original post

MHM Cisco World · ‎12-21-2023

There is no zone pair like ZFW

You need to config acl to allow traffic between Zones

If that what you ask

MHM

oscardenizjensen · ‎12-21-2023

I see, that is a shame having experience with some other vendors Zone based FW felt much more easier to work with.

So for example sake if I want to allow all traffic from Outside (sec level 0) to Inside (sec level 100) but not to DMZ (sec level 50) then I would have an access group like below. And since DMZ is not mentioned, then it will be blocked

access-list Outside-Inside extended permit ip any any

access-group Outside-Inside in interface Outside
access-group Outside-Inside out interface Outside

MHM Cisco World · ‎12-21-2023

another point
if you use Zone then there is no sec level you need to allow traffic
from OUT to IN if the traffic initiate from OUT
from IN to OUT if the traffic initiate from IN

MHM

Rob Ingram · ‎12-21-2023

@oscardenizjensen no DMZ traffic will not be blocked, you define the direction (in/out) of the interface - generally just "in". So if you permit any inbound on the outside interface, egress will be permitted to the inside or DMZ. You must explictly permit the traffic, deny what you do not want or rely on the implicit deny at the end of the ACL.

If you run the FTD image on your hardware instead of the ASA image, then this does use zones instead of the security levels.

oscardenizjensen · ‎12-21-2023

I see, that would mean that each time lets say each time there is a new subnet or service introduced to Inside, I need to edit the ACL. I wanted a more dynamic solution which I thought Zones would achieve?

I will look into the FTD, it is the more "modern" way to configure Cisco ASAs?

Rob Ingram · ‎12-21-2023

@oscardenizjensen use object groups in the ACLs and then add a new network object to the group, this saves modifying the ACL.

The FTD image is the NGFW, which has most (if not all) the same features of the ASA, plus new features built-in such as IPS, Malware, SSL decryption etc. Management of the FTD is via the GUI, which is either locally (FDM), cloud (CDO/cdFMC) or on-premise central (FMC). You cannot configure the entire firewall using the CLI like you can on the ASA.

MHM Cisco World · ‎12-23-2023

Hi friend

access-group Outside-Inside out interface Outside <- this not need at all

For using object and include all subnet' I dont recommends this.

Config object for each subnet and add acl for each subnet

This will make long acl but it easy to troubleshoot and firepower not use like router and asa one acl it have multi level of filtering and config one object for all subnet is bad idea.

MHM

Rob Ingram · ‎12-21-2023

@oscardenizjensen you don't create zone-pairs on the ASA only IOS routers.

Traffic zones are only used for ECMP on the ASA, this is optional configuration. https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/configuration/general/asa-919-general-config/interface-zones.html

Zone-Pair depreceated in ASA Firepower?