topic Port forward and ZBF in Network Security

Port forward and ZBF

Darkglasses — Tue, 31 Mar 2020 15:01:57 GMT

Hi All,

I have a number of ports to be forwarded to an internal server. All works fine until I apply my ZBF config.

Anyone able to cast an eye over my config to suggest how I forward a single port from the internet (dialer 0) to a device on vlan 20?
i.e. 10.10.20.100:55555

Any suggestions are welcomed as I hit a wall,
John

Current configuration : 4176 bytes
!
! No configuration change since last restart
version 15.1
no service pad
service timestamps debug uptime
service timestamps log datetime msec
service password-encryption
!
hostname RouterBusiness
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 XXXXX
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
ip dhcp excluded-address 10.10.20.1 10.10.20.50
!
ip dhcp pool BUS_LAN
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 10.10.20.1
!
!
ip cef
ip domain name cisco887business.lcoal
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZXXXXX
!
!
username RouterB privilege 15 secret 5 XXXX
!
!
!
!
controller VDSL 0
!
ip ssh version 2
!
class-map type inspect match-all LAN-TO-WAN-CLASS
match access-group name LAN-TO-WAN
class-map type inspect match-all WAN-TO-LAN-CLASS
match access-group name WAN-TO-LAN
!
!
policy-map type inspect LAN-TO-WAN-POLICY
class type inspect LAN-TO-WAN-CLASS
inspect
class class-default
drop log
policy-map type inspect WAN-TO-LAN-POLICY
class type inspect WAN-TO-LAN-CLASS
pass
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security LAN-TO-WAN source INSIDE destination OUTSIDE
service-policy type inspect LAN-TO-WAN-POLICY
zone-pair security WAN-TO-LAN source OUTSIDE destination INSIDE
service-policy type inspect WAN-TO-LAN-POLICY
!
!
!
!
!
!
!
interface Ethernet0
no ip address
no ip route-cache
!
interface Ethernet0.101
description Tagging for PPPoE (VDSL0)
encapsulation dot1Q 101
ip virtual-reassembly in
no ip route-cache
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 55
no ip address
!
interface FastEthernet1
switchport access vlan 20
no ip address
!
interface FastEthernet2
switchport access vlan 10
no ip address
!
interface FastEthernet3
switchport access vlan 20
no ip address
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Vlan10
description Routing to Res
ip address 192.168.10.20 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
interface Vlan20
description Business LAN
ip address 10.10.20.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
interface Vlan55
description Mgt
ip address 192.168.55.20 255.255.255.0
!
interface Dialer0
description BT Bus VDSL dialer
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap ms-chap callin
ppp chap hostname ISP USERNAME
ppp chap password 7 ISP USERNAME
ppp ipcp dns request accept
ppp ipcp address accept
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 10.10.20.5 3389 interface Dialer0 3389
ip nat inside source static tcp 10.10.20.5 32400 interface Dialer0 32400
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended LAN-TO-WAN
permit ip 10.10.20.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended WAN-TO-LAN
permit icmp any 10.10.20.0 0.0.0.255
permit tcp any host 10.10.20.5 eq 3389
permit tcp any host 10.10.20.5 eq 32400
deny ip any any
!
access-list 1 remark Access to Dialer interface
access-list 1 permit 10.10.20.0 0.0.0.255
dialer-list 1 protocol ip permit

Re: Port forward and ZBF

Rob Ingram — Sun, 29 Mar 2020 19:21:30 GMT

Hi,

You should double check your ACL

ip access-list extended WAN-TO-LAN
permit icmp any 10.10.20.0 0.0.0.255
permit tcp any eq 55555 host 10.10.20.5 eq 5555

The destination port in your NAT rule is 55555, so you are missing a 5 in your ACL. Also your source port may not be 55555, I leave that out and just define the correct destination.

HTH

Re: Port forward and ZBF

Darkglasses — Mon, 30 Mar 2020 12:12:47 GMT

RJI, your are right.

The correct port is 32400 and I have copied the ACL below / updated my original config.

Apologies for misleading your as I was blanking out my ports in use and made an error. Lesson learned for the future. I did this because when I applied Firewall debugging, I got an endless stream of detail via the console and lost internet connection because my laptop had moved to an unknown network - 192.168.58.0. A reboot brought everything back up but was nervous I was posting too much details about my connection.

While my ZBF knowledge is limited, I have not seen anything to suggest that a single port cannot be forwarded. A number of policies, NAT configs and ACL's have not enabled me getting this port to show open. Unless I remove interfaces from ZBF zones. So it must be the ZBF config?

ip access-list extended WAN-TO-LAN
permit icmp any 10.10.20.0 0.0.0.255
permit tcp any eq 3389 host 10.10.20.5 eq 3389
permit tcp any eq 32400 host 10.10.20.5 eq 32400
deny ip any any

Re: Port forward and ZBF

Rob Ingram — Mon, 30 Mar 2020 12:19:22 GMT

The source port(s) is going to be random, so don't define it in the ACL - just define the destination port(s).

permit tcp any host 10.10.20.5 eq 32400

The IP address 10.10.20.5 also does not match the same IP address used in the NAT rule (10.10.20.100), you should ensure they are correct.

HTH

Re: Port forward and ZBF

Darkglasses — Tue, 31 Mar 2020 15:15:13 GMT

Thanks RJI,

I have updated the config on my original post to show my NAT rule is correct - ports route to host 10.10.20.5. Apologies I missed correcting that.

The progress is that I now see the counters increase when using port checkers on port 32400. For some reason the counter does not increase for port 3389. Both ports remain closed.

I read a blog with examples of using ip nat outside source for ZBF. That didn't work either on either of my FTTC connections, one obtains an IP dynamically and the other is static.

Extended IP access list WAN-TO-LAN
20 permit icmp any 10.10.20.0 0.0.0.255 (507 matches)
30 permit tcp any host 10.10.20.5 eq 3389
40 permit tcp any host 10.10.20.5 eq 32400 (20 matches)
50 deny ip any any (3783 matches)

Re: Port forward and ZBF

Darkglasses — Sat, 04 Apr 2020 15:27:13 GMT

Folks, Success!

I have solved the problem and posted my working config below in case anyone is spinning their wheels. Essentially the problem was that I was inspecting outbound traffic and passing inbound traffic without inspection. This miss match was causing issues - see Julio's solution at https://community.cisco.com/t5/network-security/port-forwarding-in-zone-based-firewall/td-p/2417742

Thanks to those having a look and offering advice.

Next is to sort my ChromeCast.

John

Current configuration : 4649 bytes
!
! Last configuration change at 14:06:02 UTC Sat Apr 4 2020 by Admin
! NVRAM config last updated at 13:45:37 UTC Sat Apr 4 2020 by Admin
! NVRAM config last updated at 13:45:37 UTC Sat Apr 4 2020 by Admin
version 15.1
no service pad
service timestamps debug uptime
service timestamps log datetime msec
service password-encryption
!
hostname Cisco_Business
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX.
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
ip dhcp excluded-address 10.10.20.1 10.10.20.50
ip dhcp excluded-address 10.10.40.1 10.10.40.50
!
ip dhcp pool BUS_LAN
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 10.10.20.1
!
ip dhcp pool BUS_LAN_ALT
network 10.10.40.0 255.255.255.0
dns-server 10.10.40.1
default-router 10.10.40.1
!
!
ip cef
ip domain name cisco.lcoal
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZXXXXXXXX
!
!
username Admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
!
!
controller VDSL 0
!
ip ssh version 2
!
class-map type inspect match-all LAN-TO-WAN-CLASS
match access-group name LAN-TO-WAN
class-map type inspect match-all WAN-TO-LAN-CLASS
match access-group name WAN-TO-LAN
!
!
policy-map type inspect LAN-TO-WAN-POLICY
class type inspect LAN-TO-WAN-CLASS
inspect
class class-default
drop log
policy-map type inspect WAN-TO-LAN-POLICY
class type inspect WAN-TO-LAN-CLASS
inspect
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security LAN-TO-WAN source INSIDE destination OUTSIDE
service-policy type inspect LAN-TO-WAN-POLICY
zone-pair security WAN-TO-LAN source OUTSIDE destination INSIDE
service-policy type inspect WAN-TO-LAN-POLICY
!
!
!
!
!
!
!
interface Ethernet0
no ip address
no ip route-cache
!
interface Ethernet0.101
description Tagging for PPPoE (VDSL0)
encapsulation dot1Q 101
ip virtual-reassembly in
no ip route-cache
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 55
no ip address
!
interface FastEthernet1
switchport access vlan 20
no ip address
!
interface FastEthernet2
switchport access vlan 10
no ip address
!
interface FastEthernet3
switchport access vlan 40
no ip address
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Vlan10
description Routing to Main_Res
ip address 192.168.10.20 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
interface Vlan20
description Main_Bus
ip address 10.10.20.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
interface Vlan40
description BUS_LAN_ALT
ip address 10.10.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
interface Vlan55
description Mgt
ip address 192.168.55.20 255.255.255.0
!
interface Dialer0
description BT Bus VDSL dialer
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap ms-chap callin
ppp chap hostname ISP USERNAM
ppp chap password 7 ISP PASSWORD
ppp ipcp dns request accept
ppp ipcp address accept
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.10.40.5 3389 interface Dialer0 3389
ip nat inside source static tcp 10.10.40.5 32400 interface Dialer0 32400
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended LAN-TO-WAN
permit ip 10.10.20.0 0.0.0.255 any
permit ip 10.10.40.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended WAN-TO-LAN
permit icmp any 10.10.20.0 0.0.0.255
permit tcp any host 10.10.40.5 eq 32400
permit tcp any host 10.10.40.5 eq 3389
deny ip any any
!
access-list 1 remark Access to Dialer interface
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 1 permit 10.10.40.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
access-class 5 in
exec-timeout 15 0
password 7 XXXXXXXXXXXXXX
logging synchronous
transport input all
!
end