ASA Traffic Zones

  • Post author:
  • Post category:ASA / Cisco

ASA Traffic Zones

The Cisco ASA supports Equal-Cost multi-Path (ECMP) using Traffic Zones feature. Multiple interfaces (up to 8) are assigned to a Traffic Zone, which lets traffic from an existing flow to enter or exit the ASA on any interface within the zone.

Traffic Zones are useful for the following scenarios:

Asymmetric routing – a connection is established between an inside host and ISP1, due to asymmetric routing the return traffic is received on the ASA on the ISP2 interface.

  • Without using Traffic Zones, the ASA maintains a per interface connection table. If return traffic is received on the ISP2 interface, the connection will be dropped.
  • Using Traffic Zones, the ASA maintains a connection table on a per-zone basis. If ISP1 and ISP2 interfaces are grouped in the same zone, the return traffic received will match the per-zone connection table and be allowed.

Lost Route – a connection from an inside host through the ASA via the ISP1 interface. Due to a ISP failure or lost route, traffic would be routed to the ISP2 interface.

  • Without using Traffic Zones, the connection between the inside and outside host will be deleted and a new connection must be established using the ISP2 interface.
  • Using Traffic Zones, the ASA detects the lost route and the flow is seamlessly moved to the new path using the ISP2 interface, without any packet drops.

Load Balancing – a connection from an inside host to an outside host through the ISP1 interface, another connection via ISP2 interface ude to equal cost route.

  • Without Traffic Zones, load balancing across interfaces is not possible, you can only load balance with equal ocst routes on one interface.
  • Using Traffic Zones, the ASA load-balances connections across up to 8 equal cost routes on all interfaces in the zones.

Supported Features

The following features are supported with Traffic Zones

  • Access Control Rules
  • Network Address Translation (NAT)
  • Services Rules, except for Quality of Service (QoS)
  • Routing

Pre-requisites

The following are pre-requisites for using Traffic Zones

  • All interfaces configured in zone must have the same security-level
  • Apply the same ACL list to all interfaces OR use the global ACL to ensure the same rules apply to all members in a zone.
  • Use the “any” keyword to represent the zone interface in a NAT rule.

Refer to the Cisco guides for more information on pre-requisites on unsupported features. https://www.cisco.com/c/en/us/td/docs/security/asa/asa917/configuration/general/asa-917-general-config/interface-zones.html

Topology

The topology diagram below represents the configuration of the ASA configured with 3 interfaces in a Traffic Zone. An ISP independent public IP address range is used for NAT translations instead of translating packets behind the IP address of the physical outside interfaces.

Configuration

The ASA configuration represented in this section defines the commands are used to configure Traffic Zones on the ASA, it is assumed the ASA is setup with the basics.

Define a Traffic Zone

zone OUTSIDE

Configure the physical OUTSIDE interfaces with IP address, security level (the security-level should be the same) and nameif (the nameif should be unique per interface).

interface GigabitEthernet0/1
 nameif OUTSIDE-1
 security-level 0
 zone-member OUTSIDE
 ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet0/2
 nameif OUTSIDE-2
 security-level 0
 zone-member OUTSIDE
 ip address 2.2.2.1 255.255.255.0
!
interface GigabitEthernet0/3
 nameif OUTSIDE-3
 security-level 0
 zone-member OUTSIDE
 ip address 3.3.3.1 255.255.255.0

ECMP routing can either be static or dynamic equal cost routes. In this scenario static default routes will be configured on the ASA.

route OUTSIDE-1 0.0.0.0 0.0.0.0 1.1.1.254
route OUTSIDE-2 0.0.0.0 0.0.0.0 2.2.2.254
route OUTSIDE-3 0.0.0.0 0.0.0.0 3.3.3.254

NAT rules will utilise an ISP independent public IP address range, instead of translating behind the outside interface.

object network LAN
 subnet 10.10.0.0 255.255.252.0
 nat (INSIDE,any) dynamic 44.44.44.44

A static route for the NAT IP addresses are defined, these will be redistributed for each of the ISP’s to learn these IP addresses.

route INSIDE 44.44.44.0 255.255.255.0 192.168.250.2 1

BGP will be used to redistribute the static route (as defined above) of the public IP address space used for NAT translations, in order for each of the ISP to learn the IP address space.

prefix-list NAT-STATICS seq 5 permit 44.44.44.0/24
!
route-map REDISTRIBUTE-NAT-STATICS permit 10
 match ip address prefix-list NAT-STATICS
!
router bgp 65000
 bgp log-neighbor-changes
 address-family ipv4 unicast
  neighbor 1.1.1.254 remote-as 65001
  neighbor 1.1.1.254 activate
  neighbor 1.1.2.254 remote-as 65002
  neighbor 1.1.2.254 activate
  neighbor 1.1.3.254 remote-as 65003
  neighbor 1.1.3.254 activate
  redistribute static route-map REDISTRIBUTE-NAT-STATICS
  no auto-summary
  no synchronization
 exit-address-family

Verification/Testing

For testing, a device on the inside of the ASA will connect to a device on the outside of the ASA using telnet.

On the ASA configure 3 packet captures, matching on the different outside interfaces.

capture CAP1 interface OUTSIDE-1 match tcp any host 8.8.8.8
capture CAP2 interface OUTSIDE-2 match tcp any host 8.8.8.8
capture CAP3 interface OUTSIDE-3 match tcp any host 8.8.8.8

From a test device on the inside of the ASA, telnet to 8.8.8.8 on port 80

On the CLI of the ASA, run the command show conn long zone OUTSIDE. From the output below, we can confirm the connection was established via the OUTSIDE-3 interface. The connection is translated to 44.44.44.44 and the source port to identify the connection is 13850.

Check the packet capture of interface OUTSIDE-3, run the command show capture CAP3. From the output below we can determine one way communication from inside to outside, via OUTSIDE-3.

Check the packet capture on the other interfaces, run show capture CAP1. From the output below we can determine the return traffic for the initial connection was received on the interface OUTSIDE-1 interface.

Summary

From the testing, we can confirm asymmetric routing is taking place, with the communication flow sent via one outside interface and the return traffic was received via another interface. With the Traffic Zone’s configured, the connection is allowed. Without the outside interfaces configured in Zone, the connection would be denied.

Tags: , ,