cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3020
Views
13
Helpful
18
Replies

ZBFW not blocking traffic from DMZ

Keith McElroy
Level 1
Level 1

OK, I have a 2921 on 15.3-2T. ZBFW is working from the inside to the outside, but the DMZ is not being blocked at all to the inside. I am currently running with subinterfaces. All interfaces have zones attached. I have policies from inside to outside and DMZ to outside, those work fine. Without any policy from DMZ to inside, it can pass traffic freely from DMZ to inside. I have tried making an explicit policy to drop all to inside, still passes. I ended up just having to put an ACL on the interface

I already tried upgrading the IOS, that is how I ended up on the newest version. This is connected to a 2960S with a trunk port. Everything else works perfectly except for the DMZ security. I haven't had time to try to lab it up yet, but wanted to see if anyone knows of any reasons this shouldn't work, as all documentation says it should drop all traffic unless you make a policy to pass traffic.

I attached my running config, sensitive information was removed or changed.

18 Replies 18

Hi

Could you attach the config when you have the problems you are describring.

I already have, it is in the initial posting.

OK, I thought that the config when you have set an ACL on the interface to fix the problem because ZBF isn't working as expected?

It sounds really weird the problem you are experiencing, never encountered it.

Just to be sure, do this:

no zone-pair security InDMZ source DMZ destination Inside

interface GigabitEthernet0/1.197

  no ip access-group DMZ in

Can the DMZ still communicate with the inside after this?

I have already done that as explained in the initial posting. The config you reference was explained as part of my attempts to block the traffic, which ended with me just using an ACL cause the other methods failed.

Cool post,

Hmm, I think I have not played with Zone-based and Sub-interfaces before ( although I have worked on a huge amount of cases with ZBFW) but logically speaking is the same thing

So here is what I want you to do ,

First of all remove the zone-pair from dmz to inside before taking the outputs I am going to provide you ( I KNOW you already post that you are testing new things, that is why you add that )

1) Create an ACL to match traffic that is being allowed right now from DMZ to Inside, this just to test purposes

2) debug policy-firewall list ACL_CREATED_TO_MATCH_TRAFFIC

3) debug cce dp feature inspect detail

Be careful with the debugs

May I know the traffic flow that is being allowed right now?? Source IP destination IP

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

I have exactly the same issue. Was this solved in a meanwhile ?

thx Karien

Hello Karien,

We did not receive any information,

What's your scenario/issue?

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

Thansk for the quick respone.

I have configured zbfw between 2 subinterfaces on a lan,

1 interface in zone production

1 subinterface in zone tda,

inspecting tcp, udp and icmp, only in 1 direction :production to tda

However, icmp from test to production is possible.

ISR 2900, 15.2 software

(I do not have the configs right now (I am working GMT times, so currently @ home)

Any idea?

2 other questions, as you seem a big fan of ZBFW :-)

- I am working on a  Proof of concept with CSM4.4SP1 and ZBFW (1000+ routers). Is this recommended ? I read a post where they don't recommend it (https://supportforums.cisco.com/message/3944461#3944461)

- I have a flex vpn setup: do i have to put the tunnel source addresses into a vpn zone ?

Many thanks Karien

Hello Karien,

1-

(I do not have the configs right now (I am working GMT times, so currently @ home)

Any idea?

Does not make any sense, should not be possible,

I want to doble-check that , can you share the config, maybe the results of the PING as well.

2-CSM Questions,

I consider myself not the right person to talk about CSM as I have not played with that a lot, so I cannot say Yes go for it or No, don't do it,

All I can say is I have heard that for security configuration/ managment purposes is not a good option

Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello again,

- I have access the configs again in about 9 hours, then I can share them with you. (what time zone are you in ?). I am planning to use a class-map with match access-group instead of mach protocol icmp as a first thing ..

- OK, I will talk to a CSM expert.

- How would you then 2BFW rulebase of 1000 ASR and ISR routers ?

many thanks Karien 

Hello Karien,

I am on MST,

Sure send the configs,

ZBFW rulebase: They all work the same... They try to accomplish the same goal so configuration speaking, same thing,

Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks you Julio,

Last question for today :-)

ZBFW for 1000 routers: how to manage them with an alternative to CSM ?

thx Karien

Hello Karien,

I would always say CLI for configuration purposes (100 % of the times) and for monitoring you could use either a GUI ( SDM,CCP,SDM) or the CLI,

So you have several options to use depend on what you want to accomplish

Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

It was not solved, I haven't had time to do any testing but another person verified it worked on 12.4 just fine. I am starting to wonder if it is related to the new platform or licensing as I don't have the data license on that box, not sure. Starting to look like an issue with that platform though.

Review Cisco Networking for a $25 gift card