Is the FW zone that includes all of the Router interfaces IP addresses (even for interfaces not attached to any specific zone).
You must think of the self-zone as the router itself so when we configure a policy including the Self-zone is related to:
-Traffic to the router
-Traffic from the router
So when someone asks the following
What Traffic Should I Consider When I Deal With The Self-Zone?
You should answer:
-Managment plane traffic (SSH,Telnet,etc)
-Control plane traffic(Routing Protocols)
Another common question is:
Why would you even consider to use the Self-Zone?
Well, if you want to protect your network from any kind of attack you configure a FW to prevent attacks from reaching your network but if you leave your router without the Self-Zone anyone could get into the router and change the configuration, open backdoors,etc.
In order to avoid this vulnerabilities using the Self-Zone is a MUST.
By default there is no policies for the Self-Zone so traffic from and to the router will be allowed
You do not have to manually create the Self-Zone. By default it's created, you just need to call it.
As soon as you configure one zone-pair that involves the Self-Zone traffic from any zone to the Self or from the Self to any zone will be filtered
Traffic from a host behind a router interface that does not belong to any ZBFW zone will be allowed to reach the Router IP addresses (Self-Zone)
We cannot Inspect a class-map that we matched via a layer 7 protocol/application (We can only inspect layer 4 class-map matches)
Before version 15.1 OSPF and EIGRP neighbor relationships were allowed without the need of a policy if using the self-zone but after 15.1 we now must PASS this protocols (RIP and BGP as depend of UDP and TCP respectively will always need a policy allowing the traffic if using the self-zone)
For IPSec VPN sessions we only need to PASS the control channel negotiations (Isakmp) so UDP 500 and UDP 4500 if NAT-T is required (As you can see ESP/AH is not required to configure in order to bring the tunnel up.
Hello everyone,I have Cisco ASA 5525-X with following imagesasa922-4-smp-k8asdm 7.2(2)1asasfr-5500x-boot-5.4.0 I need to deploy the firewall in Datacentre environment. For this purpose , i want to create zones/zone pairs and assign interfaces to diff...
If you get a notification saying "Error in saving certificate: status = FAIL" when installing an SHA-256 certificate, this means that the SHA-256 algorithm is not supported. how to resolve this error please update me
Hi Guys - My Cisco any-connect was working fine. However, all of the sudden it wants me to upgrade to version 4.8.0190.I have version 4.6 before and it worked fine. When it downloads it fails. I can not to get it to stop auto updating.&nb...
Hello, dear friends. I need a help with solving one problem. We have ISE 2.1, and we implemented Windows Server 2019 Core version as DC's. Because 2.1 supports up to WS2012R2 only, we got into a trouble. To solve this problem we implemented WS20...
Hi Guys,Need some help with questions we have. We debating to go for Firepower 2130 vs Cisco 5545-X with Firepower module. We are going to use these devices for purely for AnyConnect VPN solutions with posture check. We dont want to use the ISE appli...