networking-forum.com
Community BlogCommunity Wiki * Register  * Search  * Login
View unanswered postsView active topics

Board index » Cisco Networking » Cisco Security

All times are UTC - 6 hours [ DST ]


Post new topic Reply to topic  Page 1 of 1
  [ 12 posts ] 
  Print view Previous topic | Next topic 
Author Message
Netrinc
PostPosted: Tue May 08, 2012 4:41 pm 
Offline
New Member
New Member

Joined: Wed Mar 23, 2011 1:00 pm
Posts: 8
Quick question here, I would like to implement a zone based firewall on my ASA5510. Is ZBF possible on ASA? or is it strictly for routers? I know we've implementd ZBF using Sonicwall firewalls before. A little confused here as to why my ASA doesnt have the right commands.

Maybe my version of ASA software is too old? It's 8.2 if i remember right.
Top
 Profile  
 
Vito_Corleone
PostPosted: Tue May 08, 2012 7:12 pm 
Offline
Moderator
Moderator
User avatar

Joined: Mon Apr 07, 2008 10:38 am
Posts: 9390
Location: Orlando, FL
Certs: CCNP RS, CCNP DC, CCDP, CCIP
ASAs run a sort of "zone-based firewall" by default. You configure interfaces (zones) and allow traffic into or out of them. It's not the same syntax, but it's a similar concept.

_________________
http://blog.alwaysthenetwork.com
Top
 Profile  
 
zerojunkie
PostPosted: Tue May 08, 2012 7:26 pm 
Offline
Senior Member
Senior Member

Joined: Mon Jan 26, 2009 5:59 pm
Posts: 331
Unfortunately, iirc, the security-level business goes out the window once you apply an ACL to the interface. That's not the case with most other ZBFs I've tried.
Top
 Profile  
 
Vito_Corleone
PostPosted: Tue May 08, 2012 7:39 pm 
Offline
Moderator
Moderator
User avatar

Joined: Mon Apr 07, 2008 10:38 am
Posts: 9390
Location: Orlando, FL
Certs: CCNP RS, CCNP DC, CCDP, CCIP
zerojunkie wrote:
Unfortunately, iirc, the security-level business goes out the window once you apply an ACL to the interface. That's not the case with most other ZBFs I've tried.


Explain. I haven't used ZBF much at all, but I don't see how you could add an access rule and still have trust levels matter. Would you want a permit (or deny) ip any to be overridden by a default lower to higher/higher to lower rule?

_________________
http://blog.alwaysthenetwork.com
Top
 Profile  
 
zerojunkie
PostPosted: Tue May 08, 2012 8:42 pm 
Offline
Senior Member
Senior Member

Joined: Mon Jan 26, 2009 5:59 pm
Posts: 331
Vito_Corleone wrote:
Explain. I haven't used ZBF much at all, but I don't see how you could add an access rule and still have trust levels matter. Would you want a permit (or deny) ip any to be overridden by a default lower to higher/higher to lower rule?


Best I can do is an example. If I have a guest, inside, and a DMZ network going through a firewall to the internet. On the ASA if I wanted to expose some DMZ hosts to the guest network my rule set for that interface would go allow/dmz, deny/inside then allow/any. I shouldn't have to put that deny/inside since those two interfaces have differing security-levels, but I do since that doesn't matter once an access-group gets applied. With a real ZBF, I should be able to specify access to the DMZ hosts and let the differing zones take care of disallowing traffic between the guest and inside interfaces.
Top
 Profile  
 
Vito_Corleone
PostPosted: Tue May 08, 2012 9:29 pm 
Offline
Moderator
Moderator
User avatar

Joined: Mon Apr 07, 2008 10:38 am
Posts: 9390
Location: Orlando, FL
Certs: CCNP RS, CCNP DC, CCDP, CCIP
I can see that if you're tying zone pairs together, which might be what you're trying to say - that the ASA lacks that ZNF functionality? But, with the architecture of ASA policy, I wouldn't really want it to work any other way.

_________________
http://blog.alwaysthenetwork.com
Top
 Profile  
 
zerojunkie
PostPosted: Wed May 09, 2012 10:17 am 
Offline
Senior Member
Senior Member

Joined: Mon Jan 26, 2009 5:59 pm
Posts: 331
Vito_Corleone wrote:
I can see that if you're tying zone pairs together, which might be what you're trying to say - that the ASA lacks that ZNF functionality? But, with the architecture of ASA policy, I wouldn't really want it to work any other way.


Kinda. I mean, you can put two interfaces in the same "zone" and allow traffic between them so long as you don't have an ACL applied. I'm just lamenting the fact that if you want more granular control in the form of ACLs AND you still want the zone-like behavior you can't have it in the ASA platform. I do agree that the way the policy is designed it'd require a pretty drastic departure to include that behavior. Just seems like IOS gets all the cool security features (ZBF, DMVPN, etc...)while ASA is stuck being a firewall with a feature-set from the early-to-mid 00's.
Top
 Profile  
 
ristau5741
PostPosted: Wed May 09, 2012 11:25 am 
Offline
Post Whore
Post Whore
User avatar

Joined: Tue Aug 21, 2007 2:15 pm
Posts: 8303
Location: Frederick MD
Certs: Instanity
similar to ZBF where FA0/1 is security 50 and fa0/2 is secuirty 50
same-security-traffic permit intra-interface
would allow communication between the two interfaces
aka ZBF

no ?

Code:
same-security-traffic

To permit communication between interfaces with equal security levels, or to allow traffic to enter and exit the same interface, use the same-security-traffic command in global configuration mode. To disable the same-security traffic, use the no form of this command.

same-security-traffic permit {inter-interface | intra-interface}

no same-security-traffic permit {inter-interface | intra-interface}
Syntax Description

inter-interface - Permits communication between different interfaces that have the same security level.

intra-interface - Permits communication in and out of the same interface.

Defaults
This command is disabled by default.

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw
Top
 Profile  
 
Vito_Corleone
PostPosted: Wed May 09, 2012 11:53 am 
Offline
Moderator
Moderator
User avatar

Joined: Mon Apr 07, 2008 10:38 am
Posts: 9390
Location: Orlando, FL
Certs: CCNP RS, CCNP DC, CCDP, CCIP
zerojunkie wrote:
Vito_Corleone wrote:
I can see that if you're tying zone pairs together, which might be what you're trying to say - that the ASA lacks that ZNF functionality? But, with the architecture of ASA policy, I wouldn't really want it to work any other way.


Kinda. I mean, you can put two interfaces in the same "zone" and allow traffic between them so long as you don't have an ACL applied. I'm just lamenting the fact that if you want more granular control in the form of ACLs AND you still want the zone-like behavior you can't have it in the ASA platform. I do agree that the way the policy is designed it'd require a pretty drastic departure to include that behavior. Just seems like IOS gets all the cool security features (ZBF, DMVPN, etc...)while ASA is stuck being a firewall with a feature-set from the early-to-mid 00's.


I don't care about ZBF or DMVPN (this one especially as it's primarily routing) on the ASA. I want the new stuff, like CX. I want a firewall that can get rid of Websense, Packet Shapers, and do a lot of solid reporting on box (sounds remarkably like Palo Alto...).

_________________
http://blog.alwaysthenetwork.com
Top
 Profile  
 
Netrinc
PostPosted: Wed May 09, 2012 1:07 pm 
Offline
New Member
New Member

Joined: Wed Mar 23, 2011 1:00 pm
Posts: 8
thanks guys

for this particular design it'd simplify my life and configuration to be able to lump many interfaces into only a couple zones and zone-pairs and not deal with so many ACLs.
Top
 Profile  
 
ristau5741
PostPosted: Wed May 09, 2012 2:49 pm 
Offline
Post Whore
Post Whore
User avatar

Joined: Tue Aug 21, 2007 2:15 pm
Posts: 8303
Location: Frederick MD
Certs: Instanity
Netrinc wrote:
thanks guys

for this particular design it'd simplify my life and configuration to be able to lump many interfaces into only a couple zones and zone-pairs and not deal with so many ACLs.



use object groups ?

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw
Top
 Profile  
 
Axis
PostPosted: Thu May 10, 2012 10:47 am 
Offline
Ultimate Member
Ultimate Member
User avatar

Joined: Thu Nov 04, 2010 9:55 am
Posts: 932
Location: Austin, Tx
Certs: CCNA
Vito_Corleone wrote:
zerojunkie wrote:
Unfortunately, iirc, the security-level business goes out the window once you apply an ACL to the interface. That's not the case with most other ZBFs I've tried.


Explain. I haven't used ZBF much at all, but I don't see how you could add an access rule and still have trust levels matter. Would you want a permit (or deny) ip any to be overridden by a default lower to higher/higher to lower rule?



Funny enough I came across this type of discussion in the cisco forms the other day where some guy was saying the complete opposite...I was like wtf? :shock: Granted it was from '10 and had popped up in a search I was doing

Quote:
Re: ASA / Same-security interface filtering with ACLs
Hello,

The same security traffic will override any ACL that you have apply on the interfaces with the same security. If you take a look at the ASDM says "Permit traffic to flow between same security interfaces". No ACL can override this rule.

Hope it helps.

Mike


He then goes on to say

Quote:
Hello,

Also to back me up over here, you can find the information here

"You can allow traffic to flow freely between all same security interfaces without access lists"

http://www.cisco.com/en/US/docs/securit ... #wp1289167

Since the same security traffic is checked prior an ACL, if this command is present, all the traffic will be allowed. If you want to do filtering, I would suggest you to take out the command and put the ACL's in all of the interfaces.

Cheers

Mike

_________________
The best part about telling UDP jokes is I don't really care if you get them or not.
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 12 posts ] 

Board index » Cisco Networking » Cisco Security

All times are UTC - 6 hours [ DST ]

Who is online

Users browsing this forum: eddyready and 8 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group