Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3765
Views
0
Helpful
10
Replies

ZBF and VRF

Go to solution
Krasnoperov
Level 1
Level 1

‎08-23-2012 05:27 AM - edited ‎03-11-2019 04:45 PM

Hello, I'v got simple config, like this

ip vrf LINE

rd 65000:1

zone security LINE

interface GigabitEthernet0/1.206

description -=LINE_UPLINK_ISP=-

encapsulation dot1Q 206

ip vrf forwarding LINE

zone-member security LINE

ip address 195.23x.x.182 255.255.255.252

end

interface GigabitEthernet0/1.207

description -=LINE_PA_SPACE=-

encapsulation dot1Q 207

ip vrf forwarding LINE

zone-member security LINE

ip address 195.23x.x.185 255.255.255.248

ip route vrf LINE 0.0.0.0 0.0.0.0 195.239.108.181

No zone-pair for this zone line, no inspection rules configured.

However when user in vlan 207 with address

ip 195.23x.x.186

mask 255.255.255.248

gw 195.23x.x.185

try to connect to Internet, or someone ping from internet to this user, all traffic is denied, when I do

interface GigabitEthernet0/1.207

no zone-member security LINE

interface GigabitEthernet0/1.206

no zone-member security LINE

traffic is passing?

why? I always think that in same zone all traffic allowed

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Krasnoperov

‎08-27-2012 12:40 PM

Hello,

I have been doing my homework with this threath and as I knew the implementation of Intra-Zone policies has been available since 15.1

Here is what I have found interesting so far:

Intrazone Support in the Zone-Based Firewall Application

Intrazone support allows a zone configuration to include users both inside and outside a network. Intrazone support allows traffic inspection between users belonging to the same zone but different networks. Depending on your release, traffic within a zone was allowed to pass uninspected by default. To configure a zone pair definition with the same zone for source and destination, use the zone-pair security command. This allows the functionality of attaching a policy map and inspecting the traffic within the same zone.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-2mt/sec-zone-pol-fw.html#GUID-08BAB3A9-DD8A-4656-A887-A38C1EF13512

So It looks like on the newest version in order to allow traffic from a 2 interfaces on the same zone we need to create an intra-zone policy.

I also found the following from the great website of Packetlife.com

http://packetlife.net/blog/2012/jan/30/ios-zone-based-firewall/

In early versions of IOS zone-based firewall, traffic flowing from one interface to another within the same security zone was allowed to pass by default. In recent versions, however, even intra-zone traffic requires a zone pair definition (with a single zone as both the source and destination).

So it will make sense why after I asked you to configure the zone pair it worked

Can you configure an intra-zone pair policy and let me know how it goes

Remember to rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-23-2012 11:35 AM

Hello Kras,

Would you mind to take the logs from the ZBFW

-Ip inspect log drop-pkt

Then just try to connect with the ZBFW configuration in place ofcourse and provide me the logs

Regards,

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Krasnoperov
Level 1
Level 1
In response to Julio Carvajal

‎08-24-2012 01:19 AM

here is the log message with ZBF config in place, I tried to connect via ssh to this host

Aug 24 2012 12:16:27.204 MSK: %FW-6-DROP_PKT: Dropping tcp session 95.16x.x.54:51245 195.23x.x.186:22  due to  policy match failure with ip ident 0

0 Helpful

Go to solution
Krasnoperov
Level 1
Level 1
In response to Julio Carvajal

‎08-24-2012 02:34 AM

Also, I want to say that rule for ZBF:

As soon as an interface is assigned to a zone, traffic will only flow to interfaces in the same zone.

Works without VRF just fine, but inside VRF it not works for me.

might be it's an IOS bug for:

(C3900-UNIVERSALK9-M), Version 15.2(1)T1, RELEASE SOFTWARE (fc1)

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Krasnoperov

‎08-24-2012 09:27 AM

Hello,

And what happens if you leave the VRF setup and you set them on different zones and create an inspection policy to inspect traffic?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Krasnoperov
Level 1
Level 1
In response to Julio Carvajal

‎08-25-2012 06:37 AM

strange thing happens, when I create second zone and create zone-pair policy, put second interface to this zone and back it to same zone LINE it starts work as I expect, now all config that I post works!

why so?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Krasnoperov

‎08-25-2012 10:19 AM

Hello Krasnoperov,

At least is good that is currently working, we could try to perform an upgrade to avoid a bug.

Can I have the version you are running to look for a bug because as you have explained the problem, the behavior does not make sense.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Krasnoperov
Level 1
Level 1
In response to Julio Carvajal

‎08-27-2012 12:19 AM

Yep, we have two router with identical IOS and identical behavior

System image file is "flash:c3900-universalk9-mz.SPA.152-1.T1.bin"

Cisco CISCO3945-CHASSIS (revision 1.0) with C3900-SPE150/K9 with 1835264K/261888K

Technology Package License Information for Module:'c3900'

-----------------------------------------------------------------

Technology    Technology-package           Technology-package

              Current       Type           Next reboot

------------------------------------------------------------------

ipbase        ipbasek9      Permanent      ipbasek9

security      securityk9    Permanent      securityk9

uc            None          None           None

data          None          None           None

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Krasnoperov

‎08-27-2012 12:40 PM

Hello,

I have been doing my homework with this threath and as I knew the implementation of Intra-Zone policies has been available since 15.1

Here is what I have found interesting so far:

Intrazone Support in the Zone-Based Firewall Application

Intrazone support allows a zone configuration to include users both inside and outside a network. Intrazone support allows traffic inspection between users belonging to the same zone but different networks. Depending on your release, traffic within a zone was allowed to pass uninspected by default. To configure a zone pair definition with the same zone for source and destination, use the zone-pair security command. This allows the functionality of attaching a policy map and inspecting the traffic within the same zone.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-2mt/sec-zone-pol-fw.html#GUID-08BAB3A9-DD8A-4656-A887-A38C1EF13512

So It looks like on the newest version in order to allow traffic from a 2 interfaces on the same zone we need to create an intra-zone policy.

I also found the following from the great website of Packetlife.com

http://packetlife.net/blog/2012/jan/30/ios-zone-based-firewall/

In early versions of IOS zone-based firewall, traffic flowing from one interface to another within the same security zone was allowed to pass by default. In recent versions, however, even intra-zone traffic requires a zone pair definition (with a single zone as both the source and destination).

So it will make sense why after I asked you to configure the zone pair it worked

Can you configure an intra-zone pair policy and let me know how it goes

Remember to rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Krasnoperov
Level 1
Level 1
In response to Julio Carvajal

‎08-29-2012 03:22 AM

thanks, Julio

I made zone pair with a policy which pass traffi (just pass no inspection) something like this

zone-pair security LINE->LINE source LINE destination LINE

and traffic starts passing, so I thiks you're right about new IOS and intra-zone pair relations.

It would be grate if I could change this behaviour to default, where rule was:

As soon as an interface is assigned to a zone, traffic will only flow to interfaces in the same zone.

Is it posible?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Krasnoperov

‎08-29-2012 08:25 AM

Hello Krasnoperov,

If you only have a zone-pair for the intra zone traffic then only traffic from the same zone will be allowed so that should do it for you

Regards,

Julio

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card