I'm currently migrating from a pair of Cisco ASAs and the zones have me a little confused.
Right now I have interfaces on the ASAs of inside, wireless, outside, dmz-private-web, dmz-private-db, dmz-public-web, dmz-public-db, dmz-dev-web, dmz-dev-db.
My plan was to group the inside and wireless together as "trusted", outside as "outside, and then all of the DMZ zones as "DMZ".
When the interfaces are placed into a single zone like that, hopefully rules are still required between them?
By default anything that you place in the same 'zone' is trusted and will be allowed. However this policy can be changed so that you deny intra-zone traffic by default and do exactly what you want here.
If you are using built-in intra-zone rule, then traffic will be allowed by default. I have seen admins placing 'Deny All' rule above the built-in intra-zone rule which will block the traffic unless you have specific trust-trust, DMZ-DMZ intrazone rule on top.
This can also be acheived by using the address's and subnets. We took a DMZ and carved out int little /29's. We also have a DENY ALL rule above the built in intra-zone rule. We then control what can enter and/or leave the zone. Also the PAN was the DG of the subnet so all traffic had to flow through it so it could apply policices. However if you have say a virtual host with many VM's on it and they are in the same subnet and zone. They would still be able to talk to each other, hence why we carved out /29's.
Hope this makes sense.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!