Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
517
Views
0
Helpful
3
Replies

Deny U-turn traffic on zone based firewall

Ruterford
Level 1
Level 1

‎10-07-2013 05:33 AM - edited ‎03-11-2019 07:48 PM

Hello All,

Since I was told that U-turn (or hairpin) traffic is allowed by default on a zone based firewall I decided to create a zone-pair like following to stop this from happening in case if somebody decides to hairpin thru my router using it as just an additional gateway to send packets:

policy-map type inspect Outside-Outside-pmap

class class-default

  drop log

Zone-pair name outside-to-outside

    Source-Zone outside  Destination-Zone outside

    service-policy Outside-Outside-pmap

Interface FAstEthernet4

zone-member security outside


Is this correct understanding?

Thanks!

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎10-10-2013 10:39 AM

Yes, that should do the trick.

I don't know if you have just forgotten to add this or not, but you also need to define the security zone outside.

zone security outside

Also, is there a reason you are using ZBFW to stop hairpinning instead of implementing IOS firewall?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-10-2013 12:08 PM

Hello,

There is no such a thing as ZBFW allowing by default U-Turn traffic. I mean if you inspect it it might get dropped due to the TCP 3 way handshake not being honored.

What's allowed by default is that traffic frome interfaces on the same zone is allowed, on the new versions you can change this (actually starting on 15.0(1)M) traffic withing the same zone can be inspected/passed or denied.

Hope this makes sense

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

BenBen
Level 1
Level 1

‎07-04-2014 02:36 PM

Hi Ruterford,

It seems the IntraZone zone based firewall pollicy does not apply to the hairpinning traffic. It does apply to traffic flowing between different interfaces in the same zone. (IOS  Version 15.1(3)S2)

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card