Preview Tool

Cisco Bug: CSCsz36217 - Zone Based Firewall leaks for ICMP inspected Traffic.

Last Modified

Feb 28, 2018

Products (144)

  • Cisco IOS
  • Cisco VG204 Analog Voice Gateway
  • Cisco Catalyst 6500 Series Communication Media Module
  • Cisco C897VA Integrated Services Router
  • Cisco 886VA-CUBE Integrated Services Router
  • Cisco 886VAG 3G Integrated Services Router
  • Cisco VG204XM Analog Voice Gateway
  • Cisco 888W Integrated Services Router
  • Cisco 1803 Integrated Services Router
  • Cisco AS5400XM Universal Gateway
View all products in Bug Search Tool Login Required

Known Affected Releases

12.4(15)T17 12.4(20)T4 12.4(24.6)T7 15.0(1)M5.9 15.1(0.2.11)PIB13 15.1(0.2.15)PIB13 15.1(1)T3.12 15.1(1.10)T 15.1(1.2)PI13d 15.1(1.4)T 15.1(2)T2.5 15.1(2)T3.1 15.1(2)T4.3 15.1(3)T1.5 15.1(3)T2.3 15.1(3.14)T 15.1(3.22)M0.1 15.1(3.7)T 15.1(3.8.8)PIB 15.1(4)M2.6 15.1(4)M3.8 15.1(4)M8 15.2(0.0.15)PIL16 15.2(0.12)T 15.2(0.13)T 15.2(0.13.3)PIB17 15.2(0.6)PI16 15.2(1)TPI17 15.2(2.16)T 15.2(3)T0.2 15.2(3)T2.1 15.2(3.1)T 15.2(3.22.2)PIB16 15.2(3.31)PIP 15.2(3.7)T 15.2(4)M4.3 15.2(4)M5.6 15.3(0.18)T0.1 15.3(1)T0.1 15.3(1)T3 15.3(1)T4 15.3(2)T1.3 15.3(3)M1.9 15.4(1)T1 15.4(1.14)T 15.4(1.24)T0.1 15.4(2.2)T

Description (partial)

ICMP traffic can be sent from a less secure zone to a more secure zone once an ICMP stream has been
created from a more secure zone to a less secure zone.

Affects Cisco IOS Software 12.4(20)T and later.  Previous versions are not affected.

If a device is configured with Zone Based Firewall and has configured ICMP inspection.  

Once an ICMP traffic stream is opened from the inside zone to the outside zone, ICMP traffic can flow
from the same outside destination address to the inside source address, whilst the flow is active.  

When a ICMP session is active from zone z1 to another zone z2 (z1 and z2 are port of a zone ?pair ), ICMP
traffic flowing from z2 to z1 in the opposite direction of the established session is allowed by Zone
Based Firewall (Source/Destination IP addresses must match). Once the ICMP traffic stream is stopped from
the z1 to z2, the flow is destroyed and ICMP traffic from z2 to z1 will be dropped.

No other protocols are affected.

Related Community Discussions

Zone Based Firewall allowing unwanted traffic
I'm testing zone based firewall zbf  in preperation to deploy.  However I'm running into an issue that I need assistance with.  I've attached a copy of my test topology for reference.  But to explain I have this environment: PCs - Servers - Registers - Vendors I have eigrp configured on  to take traffic to HQ (R4) with a vti interface as backup in case the primary goes down. I also have a public interface on R1 for internet traffic. I have created sub-interfaces and placed these respective systems ...
Latest activity: Nov 12, 2013
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.