Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
693
Views
0
Helpful
4
Replies

Self Zone to Outside Not Dropping on Cisco Router

JimEBobE
Level 1
Level 1

‎01-29-2018 06:23 AM - edited ‎02-21-2020 07:13 AM

I have an ISR 4431 that I have setup with a Zone Based Firewall. I have an Internet Port with a public IP and have created a zone called Internet. I create a zone pair between Internet and Self and blocked everything except 2 IPs I have an ACL. However, I am still able to see open ports on the firewall. Any assistance would be appreciated. Below is a small portion of my config. I have changed the Public IPs in this example.

 

 

interface GigabitEthernet0/0/2
description Internet
ip address 1.1.1.1 255.255.255.252
no ip unreachables
ip nat outside
zone-member security Internet
negotiation auto


zone-pair security Internet->Self source Internet destination self
service-policy type inspect Internet_to_Self

policy-map type inspect Internet_to_Self
class type inspect Internet_to_Self_Class
inspect
class class-default
drop log

class-map type inspect match-all Internet_to_Self_Class
match access-group 110

access-list 110 permit ip host 2.2.2.2 any
access-list 110 permit ip host 3.3.3.3 any

 

 

 

 

Labels:
0 Helpful
4 Replies 4

Ajay Saini
Level 7
Level 7

‎01-30-2018 09:43 PM

Hello,

 

It sounds good logically, but I would recommend that you specify layer4 info in access list 110 if you really want to inspect the traffic. Currently you have ip based access-list and ip as a protocol can not be inspected. The underlying protocols along with the ip address should be added that can be inspected.

 

Try to make that change and see if it helps.

 

-

HTH
AJ

0 Helpful

denilson.mota
Level 1
Level 1

‎01-30-2018 10:59 PM

Just try to add an implicit rule after the permitted:

 

access-list 110 permit ip host 2.2.2.2 any
access-list 110 permit ip host 3.3.3.3 any

access-list 110 deny any any

0 Helpful

JimEBobE
Level 1
Level 1
In response to denilson.mota

‎02-07-2018 04:25 PM

I tried to a match tcp to my class list as well as adding the implicitly dent statement. However, the port still remains open. 

0 Helpful

Ajay Saini
Level 7
Level 7
In response to JimEBobE

‎02-08-2018 02:39 AM

It looks like the traffic is somehow bypassing the out-to-self zone-pair inspection and drop policy and being handled as a to-the-box traffic. Could you paste the current config for zbf.

 

Also, for the traffic that is mentioned for inspection, do you actually see that getting inspected. You can check for connections:

 

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/117721-technote-iosfirewall-00.html#anc5

 

-

HTH
AJ

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card