cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4968
Views
0
Helpful
1
Replies

zone based firewall and self zone

WILLIAM STEGMAN
Level 4
Level 4

Much of the documentation regarding zone based firewall references the necessity to build policy on traffic coming from the outside headed to the self zone when an IPSec tunnel is used.  In other words, you must have a policy in place so the tunnel can come up.  This would seem to apply to an interface that is not part of a zone; for example if an interface is on the WAN being used to terminate a DMVPN tunnel, it must be a member of a zone that has policy in place to permit GRE traffic from that outside interface to the self zone.  If it's in the default zone, that traffic will not be permitted.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/sec-zone-pol-fw.…

The following are basic rules to consider when setting up zones:

  • Traffic from a zone interface to a nonzone interface or from a nonzone interface to a zone interface is always dropped; unless default zones are enabled (default zone is a nonzone interface).
  • Traffic cannot flow between an interface that is a member of a security zone and an interface that is not a member of a security zone because a policy can be applied only between two zones.


However, I'm not seeing that requirement in a setup I have.  I have my MPLS provider interface in a separate VRF; it's a FVRF since I'm using IWAN.  It's not a member of any zone, and yet the tunnels come up on that transport.  I'm using zones and policy on the LAN interfaces and tunnel interfaces, controlling what traffic is permitted between those LAN interfaces and the tunnel interfaces while assigning the "WAN" interfaces to different FVRFs.  The documentation, at least as I interpret it, indicates that this is not possible.  So what caveat might I missing or how is my understanding incorrect?  I do have a default zone in my config, but I believe it came enabled.  I didn't explicitly configure it. 

show zone security

zone default

  Description: System level zone. Interface without zone membership is in this zone automatically

However, it also has a self zone

zone self

  Description: System defined zone

Does this mean that if a default zone exists, all traffic from the default zone to the self zone is permitted?  Is that why the DMVPN tunnels are working on the router?  It seems that essentially how it would work without any zones, and since my zones are not being applied to the WAN interfaces, this rule wouldn't apply. 

thank you

1 Accepted Solution

Accepted Solutions

Bogdan Nita
VIP Alumni
VIP Alumni

When an interface is configured to be a zone member, the hosts connected to the interface are included in the zone. However, traffic flowing to and from the IP addresses of the router’s interfaces is not controlled by the zone policies (with the exception of circumstances described in the note following Figure 10). Instead, all of the IP interfaces on the router are automatically made part of the self zone when ZFW is configured. In order to control IP traffic moving to the router’s interfaces from the various zones on a router, policies must be applied to block or allow/inspect traffic between the zone and the router’s self zone, and vice versa.

Although the router offers a default-allow policy between all zones and the self zone, if a policy is configured from any zone to the self zone, and no policy is configured from self to the router’s user-configurable interface-connected zones, all router-originated traffic encounters the connected-zone to self-zone policy on its return the router and is blocked. Thus, router-originated traffic must be inspected to allow its return to the self zone.

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

 

HTH

Bogdan

View solution in original post

1 Reply 1

Bogdan Nita
VIP Alumni
VIP Alumni

When an interface is configured to be a zone member, the hosts connected to the interface are included in the zone. However, traffic flowing to and from the IP addresses of the router’s interfaces is not controlled by the zone policies (with the exception of circumstances described in the note following Figure 10). Instead, all of the IP interfaces on the router are automatically made part of the self zone when ZFW is configured. In order to control IP traffic moving to the router’s interfaces from the various zones on a router, policies must be applied to block or allow/inspect traffic between the zone and the router’s self zone, and vice versa.

Although the router offers a default-allow policy between all zones and the self zone, if a policy is configured from any zone to the self zone, and no policy is configured from self to the router’s user-configurable interface-connected zones, all router-originated traffic encounters the connected-zone to self-zone policy on its return the router and is blocked. Thus, router-originated traffic must be inspected to allow its return to the self zone.

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

 

HTH

Bogdan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: