topic Re: Confused about zones in General Topics

Confused about zones

campbech1 — Wed, 20 Jun 2018 15:32:24 GMT

I'm currently migrating from a pair of Cisco ASAs and the zones have me a little confused.

Right now I have interfaces on the ASAs of inside, wireless, outside, dmz-private-web, dmz-private-db, dmz-public-web, dmz-public-db, dmz-dev-web, dmz-dev-db.

My plan was to group the inside and wireless together as "trusted", outside as "outside, and then all of the DMZ zones as "DMZ".

When the interfaces are placed into a single zone like that, hopefully rules are still required between them?

Re: Confused about zones

BPry — Wed, 20 Jun 2018 17:14:19 GMT

@campbech1,

By default anything that you place in the same 'zone' is trusted and will be allowed. However this policy can be changed so that you deny intra-zone traffic by default and do exactly what you want here.

Re: Confused about zones

anuj_mor — Wed, 20 Jun 2018 19:35:08 GMT

If you are using built-in intra-zone rule, then traffic will be allowed by default. I have seen admins placing 'Deny All' rule above the built-in intra-zone rule which will block the traffic unless you have specific trust-trust, DMZ-DMZ intrazone rule on top.

Re: Confused about zones

RobinClayton — Fri, 29 Jun 2018 08:01:16 GMT

The firewall needs to be the DG for each of the subnets in the DMZ for intra-zone firewalling to work.

Rob

Re: Confused about zones

OtakarKlier — Fri, 29 Jun 2018 16:49:41 GMT

Hello,

This can also be acheived by using the address's and subnets. We took a DMZ and carved out int little /29's. We also have a DENY ALL rule above the built in intra-zone rule. We then control what can enter and/or leave the zone. Also the PAN was the DG of the subnet so all traffic had to flow through it so it could apply policices. However if you have say a virtual host with many VM's on it and they are in the same subnet and zone. They would still be able to talk to each other, hence why we carved out /29's.

Hope this makes sense.

Good luck!