04-23-2013 07:43 AM - edited 03-11-2019 06:33 PM
OK, I have a 2921 on 15.3-2T. ZBFW is working from the inside to the outside, but the DMZ is not being blocked at all to the inside. I am currently running with subinterfaces. All interfaces have zones attached. I have policies from inside to outside and DMZ to outside, those work fine. Without any policy from DMZ to inside, it can pass traffic freely from DMZ to inside. I have tried making an explicit policy to drop all to inside, still passes. I ended up just having to put an ACL on the interface
I already tried upgrading the IOS, that is how I ended up on the newest version. This is connected to a 2960S with a trunk port. Everything else works perfectly except for the DMZ security. I haven't had time to try to lab it up yet, but wanted to see if anyone knows of any reasons this shouldn't work, as all documentation says it should drop all traffic unless you make a policy to pass traffic.
I attached my running config, sensitive information was removed or changed.
04-24-2013 12:32 PM
Hi
Could you attach the config when you have the problems you are describring.
04-24-2013 12:34 PM
I already have, it is in the initial posting.
04-25-2013 01:41 AM
OK, I thought that the config when you have set an ACL on the interface to fix the problem because ZBF isn't working as expected?
It sounds really weird the problem you are experiencing, never encountered it.
Just to be sure, do this:
no zone-pair security InDMZ source DMZ destination Inside
interface GigabitEthernet0/1.197
no ip access-group DMZ in
Can the DMZ still communicate with the inside after this?
04-26-2013 12:26 PM
I have already done that as explained in the initial posting. The config you reference was explained as part of my attempts to block the traffic, which ended with me just using an ACL cause the other methods failed.
04-26-2013 02:44 PM
Cool post,
Hmm, I think I have not played with Zone-based and Sub-interfaces before ( although I have worked on a huge amount of cases with ZBFW) but logically speaking is the same thing
So here is what I want you to do ,
First of all remove the zone-pair from dmz to inside before taking the outputs I am going to provide you ( I KNOW you already post that you are testing new things, that is why you add that )
1) Create an ACL to match traffic that is being allowed right now from DMZ to Inside, this just to test purposes
2) debug policy-firewall list ACL_CREATED_TO_MATCH_TRAFFIC
3) debug cce dp feature inspect detail
Be careful with the debugs
May I know the traffic flow that is being allowed right now?? Source IP destination IP
Julio
07-08-2013 12:30 PM
Hello,
I have exactly the same issue. Was this solved in a meanwhile ?
thx Karien
07-08-2013 01:35 PM
Hello Karien,
We did not receive any information,
What's your scenario/issue?
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
07-08-2013 01:55 PM
Hello,
Thansk for the quick respone.
I have configured zbfw between 2 subinterfaces on a lan,
1 interface in zone production
1 subinterface in zone tda,
inspecting tcp, udp and icmp, only in 1 direction :production to tda
However, icmp from test to production is possible.
ISR 2900, 15.2 software
(I do not have the configs right now (I am working GMT times, so currently @ home)
Any idea?
2 other questions, as you seem a big fan of ZBFW :-)
- I am working on a Proof of concept with CSM4.4SP1 and ZBFW (1000+ routers). Is this recommended ? I read a post where they don't recommend it (https://supportforums.cisco.com/message/3944461#3944461)
- I have a flex vpn setup: do i have to put the tunnel source addresses into a vpn zone ?
Many thanks Karien
07-08-2013 02:27 PM
Hello Karien,
1-
(I do not have the configs right now (I am working GMT times, so currently @ home)
Any idea?
Does not make any sense, should not be possible,
I want to doble-check that , can you share the config, maybe the results of the PING as well.
2-CSM Questions,
I consider myself not the right person to talk about CSM as I have not played with that a lot, so I cannot say Yes go for it or No, don't do it,
All I can say is I have heard that for security configuration/ managment purposes is not a good option
Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura
07-08-2013 02:38 PM
Hello again,
- I have access the configs again in about 9 hours, then I can share them with you. (what time zone are you in ?). I am planning to use a class-map with match access-group instead of mach protocol icmp as a first thing ..
- OK, I will talk to a CSM expert.
- How would you then 2BFW rulebase of 1000 ASR and ISR routers ?
many thanks Karien
07-08-2013 02:44 PM
Hello Karien,
I am on MST,
Sure send the configs,
ZBFW rulebase: They all work the same... They try to accomplish the same goal so configuration speaking, same thing,
Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura
07-08-2013 02:50 PM
Thanks you Julio,
Last question for today :-)
ZBFW for 1000 routers: how to manage them with an alternative to CSM ?
thx Karien
07-08-2013 03:03 PM
Hello Karien,
I would always say CLI for configuration purposes (100 % of the times) and for monitoring you could use either a GUI ( SDM,CCP,SDM) or the CLI,
So you have several options to use depend on what you want to accomplish
Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura
07-08-2013 03:38 PM
It was not solved, I haven't had time to do any testing but another person verified it worked on 12.4 just fine. I am starting to wonder if it is related to the new platform or licensing as I don't have the data license on that box, not sure. Starting to look like an issue with that platform though.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide