Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
3
Replies

IOS FW Zone Question

Go to solution
technoweener
Level 1
Level 1

‎12-01-2016 01:24 PM - edited ‎03-08-2019 08:24 AM

I understand that an interface assigned to a zone can only send traffic to other zones it is paired with. So, how does traffic get routed to the Internet for example, if my gateway is an ASA (which does not support zones)? 

Thanks in advance!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎12-01-2016 01:48 PM

The zones are just local to the router itself. Once it leaves a zone, it travels like normal traffic. So if you have an inside zone and an outside zone, you'll permit zone traffic from inside to outside. Then the traffic will hit the ASA like any other traffic.

HTH

View solution in original post

0 Helpful

Go to solution
mtbtrailcarver
Level 1
Level 1
In response to technoweener

‎12-01-2016 06:47 PM

Short answer...it depends.

I'm assuming your setup is Inside nets -> 0/0 Router 0/1 -> ASA ->Internet based on your description. If that's the case:

You can configure an in-to-out zone pair and your service policy to inspect and/or pass the traffic. Those two words are the key...inspect and pass. An inside host's traffic hits 0/0, and one of two things happens based on that policy.

-If the service policy says that traffic gets inspected, it gets passed on to 0/1 and on to the ASA and (if the ASA's rules allow) to its destination. The returning traffic comes back through the ASA, hits 0/1, gets inspected, and is passed to 0/0 and ultimately your host.

-If the traffic is passed (but not inspected) it gets passed on to 0/1 and out to the ASA and (again if it's allowed based on the ASA's rules) on to the destination. The returning traffic traffic this time comes back through the ASA, hits 0/1, and is dropped. It wasn't inspected on its way out so there's no record of the source traffic and since there's no out-to-in pair there's no policy to process it.

To get traffic that's inspected out and back, you need one zone pair and one policy. To get traffic that's simply passed out and back, you two zone pairs and two policies.

Hope that makes sense. One of Cisco's explanations of it is here:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/sec-zone-pol-fw.html#GUID-16FD9685-CB43-45AF-9D24-F6E2E6467FF3

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎12-01-2016 01:48 PM

The zones are just local to the router itself. Once it leaves a zone, it travels like normal traffic. So if you have an inside zone and an outside zone, you'll permit zone traffic from inside to outside. Then the traffic will hit the ASA like any other traffic.

HTH

0 Helpful

Go to solution
technoweener
Level 1
Level 1
In response to Collin Clark

‎12-01-2016 02:05 PM

to be sure I understand, traffic originating on Router 1, port fe0/0 (inside zone) and destined for Internet will exit Router 1, port fe1/0 (outside zone) for example?

Doesn't outside zone need a zone pair interface to send to also?

0 Helpful

Go to solution
mtbtrailcarver
Level 1
Level 1
In response to technoweener

‎12-01-2016 06:47 PM

Short answer...it depends.

I'm assuming your setup is Inside nets -> 0/0 Router 0/1 -> ASA ->Internet based on your description. If that's the case:

You can configure an in-to-out zone pair and your service policy to inspect and/or pass the traffic. Those two words are the key...inspect and pass. An inside host's traffic hits 0/0, and one of two things happens based on that policy.

-If the service policy says that traffic gets inspected, it gets passed on to 0/1 and on to the ASA and (if the ASA's rules allow) to its destination. The returning traffic comes back through the ASA, hits 0/1, gets inspected, and is passed to 0/0 and ultimately your host.

-If the traffic is passed (but not inspected) it gets passed on to 0/1 and out to the ASA and (again if it's allowed based on the ASA's rules) on to the destination. The returning traffic traffic this time comes back through the ASA, hits 0/1, and is dropped. It wasn't inspected on its way out so there's no record of the source traffic and since there's no out-to-in pair there's no policy to process it.

To get traffic that's inspected out and back, you need one zone pair and one policy. To get traffic that's simply passed out and back, you two zone pairs and two policies.

Hope that makes sense. One of Cisco's explanations of it is here:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/sec-zone-pol-fw.html#GUID-16FD9685-CB43-45AF-9D24-F6E2E6467FF3

0 Helpful
Customers Also Viewed These Support Documents