Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
954
Views
0
Helpful
8
Replies

Zone Based Firewall allowing unwanted traffic

ty.masse
Level 1
Level 1

‎11-05-2013 12:50 PM - edited ‎03-11-2019 08:00 PM

I'm testing zone based firewall zbf  in preperation to deploy.  However I'm running into an issue that I need assistance with.  I've attached a copy of my test topology for reference.  But to explain I have this environment:

PCs - Servers - Registers - Vendors

I have eigrp configured on  to take traffic to HQ (R4) with a vti interface as backup in case the primary goes down.

I also have a public interface on R1 for internet traffic.

I have created sub-interfaces and placed these respective systems in their own vlan.  I'm doing routing on a stick for the routing.

Here is what I need to accomplish:

The vendors cannot talk to anything except inbound and outbound internet traffic (public zone)

Servers and PC's can talk to each other

registers and server can talk to each other.  So pc and registeres cannot talk to each other.  

I don't want to restrict based on ACL.  So I'm allowing pretty much anything in my policy.

When I ping between an unauthorized zone, for example vendor to store, It acts like it's not allowing it.  Which is what I want.  I get 4 request time outs.  However if I up arrow and try again I get replies.  Allowing traffic between two unauthorized zones.

Requesting assistance in getting this issue resolved.

thanks.

Labels:
Preview file
207 KB
0 Helpful
8 Replies 8

ty.masse
Level 1
Level 1

‎11-11-2013 02:15 PM

To the benefit of others.  Here is what I found out on the zone based firewall issue I was having.

Everything was setup correctly.  However I found out during multiple tests that if you have common zones, all of them will be able to talk to each other.

In my test, I had:  pos zone - server zone       pc zone - server zone      I do not want pos zone - pc zone

However since the server zone is common between pos and pc, all  3 could talk to each other even if you don't have a zone pair for the two zones that you're trying to exclude,  even if your policy doesn't explicly allow the zone you're trying to exclude.

That's a big gotcha in zbuf (that's wat I call ZBF) configuration.  That issue is not  docummented anywhere that I could find.

If there are no common zones zbuf works as intended with no issues.

Fix:  Fortunetly the fix to this issue is very simple.  This is what I did to fix it.

1. Create an ACL and deny source and destination of the 2 zones you don't want to talk to each other.  In my case I explicitely denied traffic from pos to pc and pc to pos.  I allowed everything else. 

2. Create class map and match that acl.

3. Done.

Now everyting works as intended, and pos and pc traffic vice versa are dropped.

Hope this Helps.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to ty.masse

‎11-11-2013 02:56 PM

Hello Ty,

Just trying to help here

That is the whole purpose of ZBFW. By default traffic within the same zones will be allowed

But what you will love is how on 15.0(1)M intra-support filtering is available for you to go.

So if you want to restrict traffic from host A to host B on zone AB create the right policy and assigned  to

zone-pair AB-to-AB source AB destination AB

That's it!

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

ty.masse
Level 1
Level 1
In response to Julio Carvajal

‎11-11-2013 05:23 PM

Thanks for your reply.    I understand that traffic withing the same zone can see each other.  However my issue was different.   I had three distinct zones.  ABC with zone pairs AB and AC.  I didn't want BC traffic.    The new feature in 15.0 that you described is pretty cool.

Thanks.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to ty.masse

‎11-11-2013 05:36 PM

Not sure I follow this:

I had three distinct zones.  ABC with zone pairs AB and AC.  I didn't want BC traffic

Be more specific please

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

ty.masse
Level 1
Level 1
In response to Julio Carvajal

‎11-11-2013 06:10 PM

Three zones:

zone sec a

zone sec b

zone sec c

int e1

zone-mem sec a

int e2

zone-mem sec b

int e3

zone-mem sec c

zone-pair policy source a destination b

zone-pair policy source a destination c

If my policy is icmp, I can ping between all three.  However as I mentioned.  I have found a work around.  In fact that's the only way it will work.

Hope that make sense.

Thanks.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to ty.masse

‎11-11-2013 06:14 PM

Hello,

So are u saying that fraffic from C to B is allowed with this configuration?? What the heck????

Can U post it? So I can confirm it?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

ty.masse
Level 1
Level 1
In response to Julio Carvajal

‎11-11-2013 06:37 PM

Yes.  I've attached the configs in my original post.  Now keep in mind those interfaces are subinterfaces to route between the three vlans.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to ty.masse

‎11-11-2013 06:53 PM

Hello,

Looks like https://tools.cisco.com/bugsearch/bug/CSCsz36217

Did you try with other traffic than TCP/UDP

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card