07-18-2018 08:24 AM
Much of the documentation regarding zone based firewall references the necessity to build policy on traffic coming from the outside headed to the self zone when an IPSec tunnel is used. In other words, you must have a policy in place so the tunnel can come up. This would seem to apply to an interface that is not part of a zone; for example if an interface is on the WAN being used to terminate a DMVPN tunnel, it must be a member of a zone that has policy in place to permit GRE traffic from that outside interface to the self zone. If it's in the default zone, that traffic will not be permitted.
The following are basic rules to consider when setting up zones:
However, I'm not seeing that requirement in a setup I have. I have my MPLS provider interface in a separate VRF; it's a FVRF since I'm using IWAN. It's not a member of any zone, and yet the tunnels come up on that transport. I'm using zones and policy on the LAN interfaces and tunnel interfaces, controlling what traffic is permitted between those LAN interfaces and the tunnel interfaces while assigning the "WAN" interfaces to different FVRFs. The documentation, at least as I interpret it, indicates that this is not possible. So what caveat might I missing or how is my understanding incorrect? I do have a default zone in my config, but I believe it came enabled. I didn't explicitly configure it.
show zone security
zone default
Description: System level zone. Interface without zone membership is in this zone automatically
However, it also has a self zone
zone self
Description: System defined zone
Does this mean that if a default zone exists, all traffic from the default zone to the self zone is permitted? Is that why the DMVPN tunnels are working on the router? It seems that essentially how it would work without any zones, and since my zones are not being applied to the WAN interfaces, this rule wouldn't apply.
thank you
Solved! Go to Solution.
07-24-2018 06:12 AM
When an interface is configured to be a zone member, the hosts connected to the interface are included in the zone. However, traffic flowing to and from the IP addresses of the router’s interfaces is not controlled by the zone policies (with the exception of circumstances described in the note following Figure 10). Instead, all of the IP interfaces on the router are automatically made part of the self zone when ZFW is configured. In order to control IP traffic moving to the router’s interfaces from the various zones on a router, policies must be applied to block or allow/inspect traffic between the zone and the router’s self zone, and vice versa.
Although the router offers a default-allow policy between all zones and the self zone, if a policy is configured from any zone to the self zone, and no policy is configured from self to the router’s user-configurable interface-connected zones, all router-originated traffic encounters the connected-zone to self-zone policy on its return the router and is blocked. Thus, router-originated traffic must be inspected to allow its return to the self zone.
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html
HTH
Bogdan
07-24-2018 06:12 AM
When an interface is configured to be a zone member, the hosts connected to the interface are included in the zone. However, traffic flowing to and from the IP addresses of the router’s interfaces is not controlled by the zone policies (with the exception of circumstances described in the note following Figure 10). Instead, all of the IP interfaces on the router are automatically made part of the self zone when ZFW is configured. In order to control IP traffic moving to the router’s interfaces from the various zones on a router, policies must be applied to block or allow/inspect traffic between the zone and the router’s self zone, and vice versa.
Although the router offers a default-allow policy between all zones and the self zone, if a policy is configured from any zone to the self zone, and no policy is configured from self to the router’s user-configurable interface-connected zones, all router-originated traffic encounters the connected-zone to self-zone policy on its return the router and is blocked. Thus, router-originated traffic must be inspected to allow its return to the self zone.
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html
HTH
Bogdan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: