topic Port Forwarding In Zone Based Firewall in Network Security

Port Forwarding In Zone Based Firewall

markieparkie — Tue, 12 Mar 2019 03:00:08 GMT

Hi all,

I have a problem with getting port forward to work. Does this config look right?

Basically I want to forward all traffic from ports UDP 88 to internal 192.168.10.210, TCP & UDP 3074 also to internal 192.168.10.210

Also port TCP & UDP 32400 to internal 192.168.10.6

Also another question is that from a port scan from a web service somewhere checking a port is forwarding correctly on the router; will the scan fail as the traffic has first goto originate and punch a hole in the firewall from my internal network or can a port scan for a particular port (32400) be allowed through straight to my internal server with the traffic not originating from the internal network.

----------------------------------------------------------------------------------

class-map type inspect match-any TCP-UDP
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any FIREWALL_EXCEPTIONS_CLASS
match access-group name FIREWALL_EXCEPTIONS_ACL
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access

policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect FIREWALL_EXCEPTIONS_POLICY
class type inspect FIREWALL_EXCEPTIONS_CLASS
pass
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect TCP-UDP
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop

zone security in-zone
zone security out-zone
zone security private-in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-private-in-out source private-in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-private-in source out-zone destination private-in-zone
service-policy type inspect FIREWALL_EXCEPTIONS_POLICY

ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.10.210 88 interface Dialer0 88
ip nat inside source static udp 192.168.10.210 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.10.210 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.10.6 32400 interface Dialer0 32400
ip nat inside source static udp 192.168.10.6 32400 interface Dialer0 32400
!
ip access-list extended FIREWALL_EXCEPTIONS_ACL
permit udp any host 192.168.10.210 eq 88
permit udp any host 192.168.10.210 eq 3074
permit tcp any host 192.168.10.210 eq 3074
permit tcp any host 192.168.10.6 eq 32400
permit tcp any eq 32400 any
permit udp any host 192.168.10.6 eq 32400
permit udp any eq 32400 any

Port Forwarding In Zone Based Firewall

jumora — Tue, 05 Nov 2013 03:59:59 GMT

Please post interface configuration, meaning get me a show run

Port Forwarding In Zone Based Firewall

markieparkie — Sun, 22 Dec 2013 16:58:42 GMT

Sorry for the delay, but here is a running config.. Thanks.

Current configuration : 6877 bytes

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname

boot-start-marker

boot-end-marker

logging message-counter syslog

aaa new-model

aaa authentication login default local

aaa authorization exec default local

aaa session-id common

clock timezone London 0

clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00

dot11 syslog

ip source-route

ip dhcp pool HOME

import all

network 192.168.20.0 255.255.255.0

default-router 192.168.20.254

ip cef

ip domain name home.local

no ipv6 cef

multilink bundle-name authenticated

vtp mode client

Port Forwarding In Zone Based Firewall

Julio Carvajal — Mon, 23 Dec 2013 19:00:49 GMT

Hello Marcus,

So some mistakes here,

After briefly checking the configuration I determined traffic will flow from the Out-zone to the Private zone.

Policy from Private to Out

policy-map type inspect ccp-inspect

class type inspect TCP-UDP

inspect

class class-default

drop

Policy from Out to Private

policy-map type inspect FIREWALL_EXCEPTIONS_POLICY

class type inspect FIREWALL_EXCEPTIONS_CLASS

pass

class class-default

drop

With that confiuration this will never work as you are inspecting traffic on one way and on the other just let it go through with no stateful checks at all.

To resolve it

ip access-list Extended Julio_Rocks

permit udp any host 192.168.10.210 eq 88

permit udp any host 192.168.10.210 eq 3074

permit tcp any host 192.168.10.210 eq 3074

permit tcp any host 192.168.10.6 eq 32400

permit udp any host 192.168.10.6 eq 32400

class-map type inspect Julio_Rocks

match access-group name Julio_Rocks

policy-map type inspect FIREWALL_EXCEPTIONS_POLICY

no class FIREWALL_EXCEPTIONS_CLASS

class Julio_Rocks

inspect

Looking for a Network engineer, contact me directly at julio17carvajal@hotmail.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Port Forwarding In Zone Based Firewall

markieparkie — Tue, 11 Feb 2014 11:53:33 GMT

Hi Julio,

Nice one on fixing the problem.

Still cant see why traffic has to be treated the same way on out and in, thought if the inspect is set to allow the traffic in, then permitting without inspect on the way out just seems to make sense if the traffic is allowed both ways things would work.

Why does it have to be the same?

On another note; have you had any experience with VPN’s and ZBW? I have a config where there is a tunnel created and traffic sent out from the router seems fine (full bandwidth 70% CPU) yet on traffic coming in, the router hits about 80% usage and the speed is nowhere near when its capable of.

Bit stumped on this.. Does the VPN actually go to the router itself, thus using the outzone to self policy?

Thanks,

Marcus.

Port Forwarding In Zone Based Firewall

Julio Carvajal — Tue, 11 Feb 2014 12:09:37 GMT

Hello,

So you are inspecting traffic from Out-To-In

Traffic reaches outside Interface, its inspectioned and allowed trought (While added to the stateful table of the FW so the reply of the client is allowed).SYN
Reply from the client comes and it's passed (No information is saved into the Firewall table as we are just passing the traffic and not inspectioning). SYN-ACK
Traffic comes back for the server and reaches the Firewall but then this one says" OK I see the SYN, I do not see the SYN-ACK why should I allow this ACK and drops it" Clear enough????

Yeah I have experience with VPN .

Check my website for more info regarding ZBFW

http://www.laguiadelnetworking.com/zone-based-firewall-and-the-self-zone-integration/

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com