Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2663
Views
0
Helpful
3
Replies

Zone-based firewall

Go to solution
hanwucisco
Level 1
Level 1

‎09-27-2011 08:56 AM - edited ‎03-11-2019 02:30 PM

I set up a very simple scenario,

R1------R2-----R3, where R1 is private, R3 is the Internet.

1.Before applying any zone, the routing is fine. I used OSPF Area 0 for all the interfaces on all 3 routers.

2. I created zones, with a policy that allow ICMP.

3. I pinged from R1 to R3. it worked.

I am kinda confused, since I didnt do anything regarding OSPF.

Why is that, how can OSPF traffic pass through the firewall?

Thanks,

here is the configuration on R2,

R2#sh run

Building configuration...

Current configuration : 1833 bytes

!

!

hostname R2

!

boot-start-marker

boot-end-marker

!

!

!

ip source-route

ip cef

!

!

!

!

no ip domain lookup

no ipv6 cef

!

!

class-map type inspect match-any CM

match protocol icmp

!

!

policy-map type inspect PM

class type inspect CM

  inspect

class class-default

  drop

!

zone security ZONE_PRIVATE

zone security ZONE_INTERNET

zone-pair security ZONEP_PRIV_INT source ZONE_PRIVATE destination ZONE_INTERNET

service-policy type inspect PM

!

!

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

shutdown

duplex half

!

!

interface Serial1/0

ip address 10.10.10.2 255.255.255.0

zone-member security ZONE_PRIVATE

serial restart-delay 0

!

!

interface Serial1/1

ip address 10.20.20.2 255.255.255.0

zone-member security ZONE_INTERNET

serial restart-delay 0

!

!

!

router ospf 1

log-adjacency-changes

network 0.0.0.0 255.255.255.255 area 0

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

control-plane

!

!

!

!

!

line con 0

exec-timeout 0 0

logging synchronous

stopbits 1

line aux 0

stopbits 1

line vty 0 4

login

!

end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to hanwucisco

‎09-28-2011 12:22 AM

Hi Han,

OSPF traffic is from router to router  and in ZBF traffic destined to or coming from the router is using the self zone and by default all is permitted to self or from self.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ameya_oke
Level 1
Level 1

‎09-27-2011 09:30 AM

Hi Han,

OSPF does not use a TCP/IP transport protocol (UDP, TCP), but is encapsulated directly in IP datagrams with protocol number 89.

On firewall IP is allowed and services(TCP or UDP) are blocked by default so OSPF packets flow across it.

PLease rate if helps.

Ameya

0 Helpful

Go to solution
hanwucisco
Level 1
Level 1
In response to ameya_oke

‎09-27-2011 10:17 AM

"On firewall IP is allowed and services(TCP or UDP) are blocked by default "

Can you elaborate this sentence a little bit? As far as I know in ASAs, the default it that is will block all of them. You have to configure to let them go through.

thanks,

Han

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to hanwucisco

‎09-28-2011 12:22 AM

Hi Han,

OSPF traffic is from router to router  and in ZBF traffic destined to or coming from the router is using the self zone and by default all is permitted to self or from self.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top