What is ASA firewall security zones? How to configure security zones?
By default, Cisco routers permit and forward all the packets they receive if the route is matched in their routing table. In case we want to restrict some routes.
We have to configure some access lists but if we have a lot of access-list rules this becomes a nightmare to configure on each interface.
.
From the above diagram, our router has two incoming access-list to deny some routes from the host's LAN. And also, our router has two access-list to prevent some routes from the internet WAN from entering our LAN network. its means we have to apply an access list to four interfaces in order to protect our LAN network. there is another solution that is better is called a security zone with an ASA firewall.
let's see the example of how a security zone works.
As you can see above, we have two security zones.
1. INSIDE: which is our LAN network.
2. OUTSIDE: Which is our WAN network (internet)
These security zones have two simple rules.
The ASA interface has been assigned to the correct security zone. Security zones have two simple rules:
Traffic coming from a high-security level to a lower security level should be permitted.
The traffic coming from a lower security level to a high-security level is should be denied.
Security levels –
The ASA interface is by default in routed mode, operating at layer 3.
ASA firewall interfaces are assigned security level which is numbers between 0 to 100. The higher number, the more trust in the network connected to the ASA firewall.
Earlier we have seen some names like INSIDE, OUTSIDE, or DMZ
Also, note that we can assign names to the ASA interface like inside, outside, or DMZ. As soon as we assign these names to an interface, it automatically assigns a security level to itself. For example, if we have assigned a name inside an interface, it will assign 100 (Security level) to itself i.e most trusted network. If we assign the name Outside or DMZ or any other name to an interface, it will assign security level 0 automatically. These are default values and can be changed.
It is a good practice to give a security level of 100 (maximum) to inside (most trusted network), 0(least) to outside (untrusted or public network), and 50 to DMZ (organization public device network).
Note –
It is not mandatory to assign a name (INSIDE, OUTSIDE, or DMZ) to the ASA interface but it is good practice to assign these names as they are simple and meaningful.
Our LAN is our trusted network, which would have a high-security level. The WAN is untrusted so it will have a low-security level. This means that traffic from our LAN > WAN will be permitted. Traffic from the WAN to our LAN will be denied. Since the firewall is stateful, it keeps track of outgoing connections and will permit the return traffic from our LAN.
If you want to make an exception and permit traffic from the WAN to the LAN then this can be accomplished with an access list.
Most companies will have one or more servers that should be reachable from the Internet. Perhaps a mail or web server. Instead of placing these on the INSIDE, we use a third zone called the DMZ (Demilitarized Zone).
DMZ security level is between INSIDE and OUTSIDE.
Traffic coming from INSIDE going to OUTSIDE is permitted.
Traffic coming from DMZ going to OUTSIDE is permitted.
Traffic coming from INSIDE going to DMZ is permitted.
Traffic coming from DMZ to going to INSIDE is denied.
Traffic is coming from OUTSIDE going to INSIDE is denied.
In order to provide full connectivity between DMZ and OUTSIDE we will use access list which only permits traffic to the IP or port numbers. If something happened to one of our servers (hacked), our inside network will still secure.
Let’s see the configurations: -
configure the topology as per the diagram
configure IP address to their ports
configure gig1/1 to outside zone
configure gig1/3 to the inside zone
configure gig 1/2 to DMZ
ciscoasa(config)#interface gigabitEthernet 1/1
ciscoasa(config-if)#nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)#ip address 192.168.30.1 255.255.255.0
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#exit
ciscoasa(config)#interface gigabitEthernet 1/3
ciscoasa(config-if)#nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)#ip address 192.168.10.1 255.255.255.0
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#exit
ciscoasa(config)#interface gigabitEthernet 1/2
ciscoasa(config-if)#nameif dmz
INFO: Security level for "dmz" set to 0 by default.
ciscoasa(config-if)#ip address 192.168.20.1 255.255.255.0
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#security-level 50
ciscoasa(config-if)#exit
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 192.168.30.2 255.255.255.0
Router(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
FROM PC
C:\>IPCONFIG
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::2E0:B0FF:FECD:EE09
IP Address......................: 192.168.10.3
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.10.1
Bluetooth Connection:
Link-local IPv6 Address.........: ::
IP Address......................: 0.0.0.0
Subnet Mask.....................: 0.0.0.0
Default Gateway.................: 0.0.0.0
ciscoasa#show ip address
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1/1 outside 192.168.30.1 255.255.255.0 CONFIG
GigabitEthernet1/2 dmz 192.168.20.1 255.255.255.0 DHCP
GigabitEthernet1/3 inside 192.168.10.1 255.255.255.0 unset
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1/1 outside 192.168.30.1 255.255.255.0 CONFIG
GigabitEthernet1/2 dmz 192.168.20.1 255.255.255.0 DHCP
GigabitEthernet1/3 inside 192.168.10.1 255.255.255.0 unset
ciscoasa#ping 192.168.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/11/25 ms
ciscoasa#ping 192.168.20.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/6/16 ms
ciscoasa#ping 192.168.30.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/10/20 ms