Sunday, 17 July 2022

What is ASA firewall security zones? How to configure security zones?

 By default, Cisco routers permit and forward all the packets they receive if the route is matched in their routing table. In case we want to restrict some routes.



 We have to configure some access lists but if we have a lot of access-list rules this becomes a nightmare to configure on each interface. 




.

From the above diagram, our router has two incoming access-list to deny some routes from the host's LAN. And also, our router has two access-list to prevent some routes from the internet WAN from entering our LAN network. its means we have to apply an access list to four interfaces in order to protect our LAN network. there is another solution that is better is called a security zone with an ASA firewall. 

let's see the example of how a security zone works. 





 


As you can see above, we have two security zones.

 

1.      INSIDE: which is our LAN network.

2.      OUTSIDE: Which is our WAN network (internet)

 These security zones have two simple rules. 

 

The ASA interface has been assigned to the correct security zone. Security zones have two simple rules:

Traffic coming from a high-security level to a lower security level should be permitted.

The traffic coming from a lower security level to a high-security level is should be denied.

 

Security levels – 

The ASA interface is by default in routed mode, operating at layer 3.

ASA firewall interfaces are assigned security level which is numbers between 0 to 100. The higher number, the more trust in the network connected to the ASA firewall.

 

Earlier we have seen some names like INSIDE, OUTSIDE, or DMZ

Also, note that we can assign names to the ASA interface like inside, outside, or DMZ. As soon as we assign these names to an interface, it automatically assigns a security level to itself. For example, if we have assigned a name inside an interface, it will assign 100 (Security level) to itself i.e most trusted network. If we assign the name Outside or DMZ or any other name to an interface, it will assign security level 0 automatically. These are default values and can be changed. 

It is a good practice to give a security level of 100 (maximum) to inside (most trusted network), 0(least) to outside (untrusted or public network), and 50 to DMZ (organization public device network). 

Note –  
It is not mandatory to assign a name (INSIDE, OUTSIDE, or DMZ) to the ASA interface but it is good practice to assign these names as they are simple and meaningful. 

 

 



 

 

Our LAN is our trusted network, which would have a high-security level. The WAN is untrusted so it will have a low-security level. This means that traffic from our LAN > WAN will be permitted. Traffic from the WAN to our LAN will be denied. Since the firewall is stateful, it keeps track of outgoing connections and will permit the return traffic from our LAN.

If you want to make an exception and permit traffic from the WAN to the LAN then this can be accomplished with an access list.

Most companies will have one or more servers that should be reachable from the Internet. Perhaps a mail or web server. Instead of placing these on the INSIDE, we use a third zone called the DMZ (Demilitarized Zone).

 

DMZ security level is between INSIDE and OUTSIDE.

Traffic coming from INSIDE going to OUTSIDE is permitted.

Traffic coming from DMZ going to OUTSIDE is permitted.

Traffic coming from INSIDE going to DMZ is permitted.

Traffic coming from DMZ to going to INSIDE is denied.

Traffic is coming from OUTSIDE going to INSIDE is denied.

In order to provide full connectivity between DMZ and OUTSIDE we will use access list which only permits traffic to the IP or port numbers. If something happened to one of our servers (hacked), our inside network will still secure.

Let’s see the configurations: -

 Topology:-




Goal:

configure the topology as per the diagram 

configure IP address to their ports 

configure gig1/1 to outside zone

configure gig1/3 to the inside zone

configure gig 1/2 to DMZ


ciscoasa(config)#interface gigabitEthernet 1/1

ciscoasa(config-if)#nameif outside

INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)#ip address 192.168.30.1 255.255.255.0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#exit


ciscoasa(config)#interface gigabitEthernet 1/3

ciscoasa(config-if)#nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)#ip address 192.168.10.1 255.255.255.0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#exit


ciscoasa(config)#interface gigabitEthernet 1/2

ciscoasa(config-if)#nameif dmz

INFO: Security level for "dmz" set to 0 by default.

ciscoasa(config-if)#ip address 192.168.20.1 255.255.255.0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#security-level 50

ciscoasa(config-if)#exit


FROM SERVER



Router(config)#interface fastEthernet 0/0

Router(config-if)#ip address 192.168.30.2 255.255.255.0

Router(config-if)#no shutdown


%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up


Router(config-if)#exit




FROM PC

C:\>IPCONFIG


FastEthernet0 Connection:(default port)


Link-local IPv6 Address.........: FE80::2E0:B0FF:FECD:EE09

IP Address......................: 192.168.10.3

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.10.1


Bluetooth Connection:


Link-local IPv6 Address.........: ::

IP Address......................: 0.0.0.0

Subnet Mask.....................: 0.0.0.0

Default Gateway.................: 0.0.0.0


ciscoasa#show ip address

System IP Addresses:

Interface Name IP address Subnet mask Method

GigabitEthernet1/1                outside 192.168.30.1 255.255.255.0 CONFIG

GigabitEthernet1/2                 dmz 192.168.20.1 255.255.255.0 DHCP

GigabitEthernet1/3                  inside 192.168.10.1 255.255.255.0 unset



Current IP Addresses:

Interface                        Name IP address Subnet mask Method

GigabitEthernet1/1        outside     192.168.30.1 255.255.255.0 CONFIG

GigabitEthernet1/2             dmz     192.168.20.1 255.255.255.0 DHCP

GigabitEthernet1/3         inside     192.168.10.1 255.255.255.0 unset



ciscoasa#ping 192.168.10.3


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/11/25 ms



ciscoasa#ping 192.168.20.2


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.20.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/6/16 ms



ciscoasa#ping 192.168.30.2


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.30.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/10/20 ms














No comments:

What is ASA firewall security zones? How to configure security zones?

  By default, Cisco routers permit and forward all the packets they receive if the route is matched in their routing table. In case we want ...