10-07-2013 05:33 AM - edited 03-11-2019 07:48 PM
Hello All,
Since I was told that U-turn (or hairpin) traffic is allowed by default on a zone based firewall I decided to create a zone-pair like following to stop this from happening in case if somebody decides to hairpin thru my router using it as just an additional gateway to send packets:
policy-map type inspect Outside-Outside-pmap
class class-default
drop log
Zone-pair name outside-to-outside
Source-Zone outside Destination-Zone outside
service-policy Outside-Outside-pmap
Interface FAstEthernet4
zone-member security outside
Is this correct understanding?
Thanks!
10-10-2013 10:39 AM
Yes, that should do the trick.
I don't know if you have just forgotten to add this or not, but you also need to define the security zone outside.
zone security outside
Also, is there a reason you are using ZBFW to stop hairpinning instead of implementing IOS firewall?
10-10-2013 12:08 PM
Hello,
There is no such a thing as ZBFW allowing by default U-Turn traffic. I mean if you inspect it it might get dropped due to the TCP 3 way handshake not being honored.
What's allowed by default is that traffic frome interfaces on the same zone is allowed, on the new versions you can change this (actually starting on 15.0(1)M) traffic withing the same zone can be inspected/passed or denied.
Hope this makes sense
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
07-04-2014 02:36 PM
Hi Ruterford,
It seems the IntraZone zone based firewall pollicy does not apply to the hairpinning traffic. It does apply to traffic flowing between different interfaces in the same zone. (IOS Version 15.1(3)S2)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: