topic Re: Zone-based firewall in Network Security

Zone-based firewall

hanwucisco — Mon, 11 Mar 2019 21:30:58 GMT

I set up a very simple scenario,

R1------R2-----R3, where R1 is private, R3 is the Internet.

1.Before applying any zone, the routing is fine. I used OSPF Area 0 for all the interfaces on all 3 routers.

2. I created zones, with a policy that allow ICMP.

3. I pinged from R1 to R3. it worked.

I am kinda confused, since I didnt do anything regarding OSPF.

Why is that, how can OSPF traffic pass through the firewall?

Thanks,

here is the configuration on R2,

R2#sh run

Building configuration...

Current configuration : 1833 bytes

hostname R2

boot-start-marker

boot-end-marker

ip source-route

ip cef

no ip domain lookup

no ipv6 cef

class-map type inspect match-any CM

match protocol icmp

policy-map type inspect PM

class type inspect CM

inspect

class class-default

drop

zone security ZONE_PRIVATE

zone security ZONE_INTERNET

zone-pair security ZONEP_PRIV_INT source ZONE_PRIVATE destination ZONE_INTERNET

service-policy type inspect PM

interface FastEthernet0/0

no ip address

shutdown

duplex half

interface Serial1/0

ip address 10.10.10.2 255.255.255.0

zone-member security ZONE_PRIVATE

serial restart-delay 0

interface Serial1/1

ip address 10.20.20.2 255.255.255.0

zone-member security ZONE_INTERNET

serial restart-delay 0

router ospf 1

log-adjacency-changes

network 0.0.0.0 255.255.255.255 area 0

ip forward-protocol nd

no ip http server

no ip http secure-server

control-plane

line con 0

exec-timeout 0 0

logging synchronous

stopbits 1

line aux 0

stopbits 1

line vty 0 4

end

Zone-based firewall

ameya_oke — Tue, 27 Sep 2011 16:30:40 GMT

Hi Han,

OSPF does not use a TCP/IP transport protocol (UDP, TCP), but is encapsulated directly in IP datagrams with protocol number 89.

On firewall IP is allowed and services(TCP or UDP) are blocked by default so OSPF packets flow across it.

PLease rate if helps.

Ameya

Re: Zone-based firewall

hanwucisco — Tue, 27 Sep 2011 17:17:11 GMT

"On firewall IP is allowed and services(TCP or UDP) are blocked by default "

Can you elaborate this sentence a little bit? As far as I know in ASAs, the default it that is will block all of them. You have to configure to let them go through.

thanks,

Han

Zone-based firewall

cadet alain — Wed, 28 Sep 2011 07:22:30 GMT

Hi Han,

OSPF traffic is from router to router and in ZBF traffic destined to or coming from the router is using the self zone and by default all is permitted to self or from self.

Regards.

Alain.