Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1545
Views
13
Helpful
18
Replies

ZBFW not blocking traffic from DMZ

Keith McElroy
Level 1
Level 1

‎04-23-2013 07:43 AM - edited ‎03-11-2019 06:33 PM

OK, I have a 2921 on 15.3-2T. ZBFW is working from the inside to the outside, but the DMZ is not being blocked at all to the inside. I am currently running with subinterfaces. All interfaces have zones attached. I have policies from inside to outside and DMZ to outside, those work fine. Without any policy from DMZ to inside, it can pass traffic freely from DMZ to inside. I have tried making an explicit policy to drop all to inside, still passes. I ended up just having to put an ACL on the interface

I already tried upgrading the IOS, that is how I ended up on the newest version. This is connected to a 2960S with a trunk port. Everything else works perfectly except for the DMZ security. I haven't had time to try to lab it up yet, but wanted to see if anyone knows of any reasons this shouldn't work, as all documentation says it should drop all traffic unless you make a policy to pass traffic.

I attached my running config, sensitive information was removed or changed.

Labels:
15358887-ZBFW.txt.zip
0 Helpful
18 Replies 18

karien.depyper
Level 1
Level 1

‎07-09-2013 01:47 AM

hello, i opened a case for it, lets seet what comes out

0 Helpful

Keith McElroy
Level 1
Level 1
In response to karien.depyper

‎07-09-2013 06:43 AM

Please let me know what becomes of it.

0 Helpful

karien.depyper
Level 1
Level 1
In response to Keith McElroy

‎07-09-2013 01:19 PM

Hello,

Issue identified: The problem exists with icmp only, other tcp/udp sessions work fine.

Related to bug :

CSCsz36217 Bug Details

Zone Based Firewall leaks for ICMP inspected Traffic

Status: Open/postponed

Rgards Karien

Julio Carvajal
VIP Alumni
VIP Alumni
In response to karien.depyper

‎07-09-2013 01:53 PM

Hello Karien,

Great info, Thanks,

Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card