Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Deny U-turn traffic on zone based firewall

Hello All,

Since I was told that U-turn (or hairpin) traffic is allowed by default on a zone based firewall I decided to create a zone-pair like following to stop this from happening in case if somebody decides to hairpin thru my router using it as just an additional gateway to send packets:

policy-map type inspect Outside-Outside-pmap

class class-default

  drop log

Zone-pair name outside-to-outside

    Source-Zone outside  Destination-Zone outside

    service-policy Outside-Outside-pmap

Interface FAstEthernet4

zone-member security outside


Is this correct understanding?

Thanks!

3 REPLIES
VIP Green

Re: Deny U-turn traffic on zone based firewall

Yes, that should do the trick.

I don't know if you have just forgotten to add this or not, but you also need to define the security zone outside.

zone security outside

Also, is there a reason you are using ZBFW to stop hairpinning instead of implementing IOS firewall?

--

Please remember to rate and select a correct answer

Re: Deny U-turn traffic on zone based firewall

Hello,

There is no such a thing as ZBFW allowing by default U-Turn traffic. I mean if you inspect it it might get dropped due to the TCP 3 way handshake not being honored.

What's allowed by default is that traffic frome interfaces on the same zone is allowed, on the new versions you can change this (actually starting on 15.0(1)M) traffic withing the same zone can be inspected/passed or denied.

Hope this makes sense

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Hi Ruterford,It seems the

Hi Ruterford,

It seems the IntraZone zone based firewall pollicy does not apply to the hairpinning traffic. It does apply to traffic flowing between different interfaces in the same zone. (IOS  Version 15.1(3)S2)

 

 

 

274
Views
0
Helpful
3
Replies
CreatePlease login to create content