topic Re: ZBFW not blocking traffic from DMZ in Network Security

ZBFW not blocking traffic from DMZ

Keith McElroy — Tue, 12 Mar 2019 01:33:31 GMT

OK, I have a 2921 on 15.3-2T. ZBFW is working from the inside to the outside, but the DMZ is not being blocked at all to the inside. I am currently running with subinterfaces. All interfaces have zones attached. I have policies from inside to outside and DMZ to outside, those work fine. Without any policy from DMZ to inside, it can pass traffic freely from DMZ to inside. I have tried making an explicit policy to drop all to inside, still passes. I ended up just having to put an ACL on the interface

I already tried upgrading the IOS, that is how I ended up on the newest version. This is connected to a 2960S with a trunk port. Everything else works perfectly except for the DMZ security. I haven't had time to try to lab it up yet, but wanted to see if anyone knows of any reasons this shouldn't work, as all documentation says it should drop all traffic unless you make a policy to pass traffic.

I attached my running config, sensitive information was removed or changed.

ZBFW not blocking traffic from DMZ

Henrik Grankvist — Wed, 24 Apr 2013 19:32:17 GMT

Could you attach the config when you have the problems you are describring.

ZBFW not blocking traffic from DMZ

Keith McElroy — Wed, 24 Apr 2013 19:34:24 GMT

I already have, it is in the initial posting.

Re: ZBFW not blocking traffic from DMZ

Henrik Grankvist — Thu, 25 Apr 2013 08:41:03 GMT

OK, I thought that the config when you have set an ACL on the interface to fix the problem because ZBF isn't working as expected?

It sounds really weird the problem you are experiencing, never encountered it.

Just to be sure, do this:

no zone-pair security InDMZ source DMZ destination Inside

interface GigabitEthernet0/1.197

no ip access-group DMZ in

Can the DMZ still communicate with the inside after this?

ZBFW not blocking traffic from DMZ

Keith McElroy — Fri, 26 Apr 2013 19:26:58 GMT

I have already done that as explained in the initial posting. The config you reference was explained as part of my attempts to block the traffic, which ended with me just using an ACL cause the other methods failed.

Re: ZBFW not blocking traffic from DMZ

Julio Carvajal — Fri, 26 Apr 2013 21:44:22 GMT

Cool post,

Hmm, I think I have not played with Zone-based and Sub-interfaces before ( although I have worked on a huge amount of cases with ZBFW) but logically speaking is the same thing

So here is what I want you to do ,

First of all remove the zone-pair from dmz to inside before taking the outputs I am going to provide you ( I KNOW you already post that you are testing new things, that is why you add that )

1) Create an ACL to match traffic that is being allowed right now from DMZ to Inside, this just to test purposes

2) debug policy-firewall list ACL_CREATED_TO_MATCH_TRAFFIC

3) debug cce dp feature inspect detail

Be careful with the debugs

May I know the traffic flow that is being allowed right now?? Source IP destination IP

Julio

Re: ZBFW not blocking traffic from DMZ

karien.depyper — Mon, 08 Jul 2013 19:30:48 GMT

Hello,

I have exactly the same issue. Was this solved in a meanwhile ?

thx Karien

Re: ZBFW not blocking traffic from DMZ

Julio Carvajal — Mon, 08 Jul 2013 20:35:31 GMT

Hello Karien,

We did not receive any information,

What's your scenario/issue?

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Re: ZBFW not blocking traffic from DMZ

karien.depyper — Mon, 08 Jul 2013 20:55:41 GMT

Hello,

Thansk for the quick respone.

I have configured zbfw between 2 subinterfaces on a lan,

1 interface in zone production

1 subinterface in zone tda,

inspecting tcp, udp and icmp, only in 1 direction :production to tda

However, icmp from test to production is possible.

ISR 2900, 15.2 software

(I do not have the configs right now (I am working GMT times, so currently @ home)

Any idea?

2 other questions, as you seem a big fan of ZBFW 🙂

- I am working on a Proof of concept with CSM4.4SP1 and ZBFW (1000+ routers). Is this recommended ? I read a post where they don't recommend it (https://supportforums.cisco.com/message/3944461#3944461)

- I have a flex vpn setup: do i have to put the tunnel source addresses into a vpn zone ?

Many thanks Karien

Re: ZBFW not blocking traffic from DMZ

Julio Carvajal — Mon, 08 Jul 2013 21:27:28 GMT

Hello Karien,

(I do not have the configs right now (I am working GMT times, so currently @ home)

Any idea?

Does not make any sense, should not be possible,

I want to doble-check that , can you share the config, maybe the results of the PING as well.

2-CSM Questions,

I consider myself not the right person to talk about CSM as I have not played with that a lot, so I cannot say Yes go for it or No, don't do it,

All I can say is I have heard that for security configuration/ managment purposes is not a good option

Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura

Re: ZBFW not blocking traffic from DMZ

karien.depyper — Mon, 08 Jul 2013 21:38:01 GMT

Hello again,

- I have access the configs again in about 9 hours, then I can share them with you. (what time zone are you in ?). I am planning to use a class-map with match access-group instead of mach protocol icmp as a first thing ..

- OK, I will talk to a CSM expert.

- How would you then 2BFW rulebase of 1000 ASR and ISR routers ?

many thanks Karien

Re: ZBFW not blocking traffic from DMZ

Julio Carvajal — Mon, 08 Jul 2013 21:44:07 GMT

Hello Karien,

I am on MST,

Sure send the configs,

ZBFW rulebase: They all work the same... They try to accomplish the same goal so configuration speaking, same thing,

Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura

Re: ZBFW not blocking traffic from DMZ

karien.depyper — Mon, 08 Jul 2013 21:50:12 GMT

Thanks you Julio,

Last question for today 🙂

ZBFW for 1000 routers: how to manage them with an alternative to CSM ?

thx Karien

Re: ZBFW not blocking traffic from DMZ

Julio Carvajal — Mon, 08 Jul 2013 22:03:47 GMT

Hello Karien,

I would always say CLI for configuration purposes (100 % of the times) and for monitoring you could use either a GUI ( SDM,CCP,SDM) or the CLI,

So you have several options to use depend on what you want to accomplish

Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura

Re: ZBFW not blocking traffic from DMZ

Keith McElroy — Mon, 08 Jul 2013 22:38:47 GMT

It was not solved, I haven't had time to do any testing but another person verified it worked on 12.4 just fine. I am starting to wonder if it is related to the new platform or licensing as I don't have the data license on that box, not sure. Starting to look like an issue with that platform though.

Re: ZBFW not blocking traffic from DMZ

karien.depyper — Tue, 09 Jul 2013 08:47:42 GMT

hello, i opened a case for it, lets seet what comes out

Re: ZBFW not blocking traffic from DMZ

Keith McElroy — Tue, 09 Jul 2013 13:43:41 GMT

Please let me know what becomes of it.

Re: ZBFW not blocking traffic from DMZ

karien.depyper — Tue, 09 Jul 2013 20:19:18 GMT

Hello,

Issue identified: The problem exists with icmp only, other tcp/udp sessions work fine.

Related to bug :

CSCsz36217 Bug Details

Zone Based Firewall leaks for ICMP inspected Traffic

Status: Open/postponed

Rgards Karien

Re: ZBFW not blocking traffic from DMZ

Julio Carvajal — Tue, 09 Jul 2013 20:53:38 GMT

Hello Karien,

Great info, Thanks,

Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura