I'm currently migrating from a pair of Cisco ASAs and the zones have me a little confused.
Right now I have interfaces on the ASAs of inside, wireless, outside, dmz-private-web, dmz-private-db, dmz-public-web, dmz-public-db, dmz-dev-web, dmz-dev-db.
My plan was to group the inside and wireless together as "trusted", outside as "outside, and then all of the DMZ zones as "DMZ".
When the interfaces are placed into a single zone like that, hopefully rules are still required between them?
This can also be acheived by using the address's and subnets. We took a DMZ and carved out int little /29's. We also have a DENY ALL rule above the built in intra-zone rule. We then control what can enter and/or leave the zone. Also the PAN was the DG of the subnet so all traffic had to flow through it so it could apply policices. However if you have say a virtual host with many VM's on it and they are in the same subnet and zone. They would still be able to talk to each other, hence why we carved out /29's.
Hope this makes sense.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!