Confused about zones

cancel
Showing results for 
Search instead for 
Did you mean: 

Confused about zones

L1 Bithead

I'm currently migrating from a pair of Cisco ASAs and the zones have me a little confused.

 

Right now I have interfaces on the ASAs of inside, wireless, outside, dmz-private-web, dmz-private-db, dmz-public-web, dmz-public-db, dmz-dev-web, dmz-dev-db.

 

My plan was to group the inside and wireless together as "trusted", outside as "outside, and then all of the DMZ zones as "DMZ".

 

When the interfaces are placed into a single zone like that, hopefully rules are still required between them?

4 REPLIES 4

Cyber Elite
Cyber Elite

@campbech1,

By default anything that you place in the same 'zone' is trusted and will be allowed. However this policy can be changed so that you deny intra-zone traffic by default and do exactly what you want here. 

L2 Linker

If you are using built-in intra-zone rule, then traffic will be allowed by default. I have seen admins placing 'Deny All' rule above the built-in intra-zone rule which will block the traffic unless you have specific trust-trust, DMZ-DMZ intrazone rule on top.

The firewall needs to be the DG for each of the subnets in the DMZ for intra-zone firewalling to work.

 

Rob

 

 

Cyber Elite
Cyber Elite

Hello,

This can also be acheived by using the address's and subnets. We took a DMZ and carved out int little /29's. We also have a DENY ALL rule above the built in intra-zone rule. We then control what can enter and/or leave the zone. Also the PAN was the DG of the subnet so all traffic had to flow through it so it could apply policices. However if you have say a virtual host with many VM's on it and they are in the same subnet and zone. They would still be able to talk to each other, hence why we carved out /29's.

 

Hope this makes sense.

 

Good luck!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!