04-23-2013 07:43 AM - edited 03-11-2019 06:33 PM
OK, I have a 2921 on 15.3-2T. ZBFW is working from the inside to the outside, but the DMZ is not being blocked at all to the inside. I am currently running with subinterfaces. All interfaces have zones attached. I have policies from inside to outside and DMZ to outside, those work fine. Without any policy from DMZ to inside, it can pass traffic freely from DMZ to inside. I have tried making an explicit policy to drop all to inside, still passes. I ended up just having to put an ACL on the interface
I already tried upgrading the IOS, that is how I ended up on the newest version. This is connected to a 2960S with a trunk port. Everything else works perfectly except for the DMZ security. I haven't had time to try to lab it up yet, but wanted to see if anyone knows of any reasons this shouldn't work, as all documentation says it should drop all traffic unless you make a policy to pass traffic.
I attached my running config, sensitive information was removed or changed.
07-09-2013 01:47 AM
hello, i opened a case for it, lets seet what comes out
07-09-2013 06:43 AM
Please let me know what becomes of it.
07-09-2013 01:19 PM
Hello,
Issue identified: The problem exists with icmp only, other tcp/udp sessions work fine.
Related to bug :
CSCsz36217 Bug Details
Zone Based Firewall leaks for ICMP inspected Traffic
Status: Open/postponed
Rgards Karien
07-09-2013 01:53 PM
Hello Karien,
Great info, Thanks,
Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide