topic CCP - Advanced Firewall Creating Custom Ports Inbound Traffic in Network Security https://community.cisco.com/t5/network-security/ccp-advanced-firewall-creating-custom-ports-inbound-traffic/m-p/2298853#M344018 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>So you want to port forward TCP 3389 to 192.168.10.50&nbsp; ?</P><P>If so then first you must have a static PAT statement:</P><P>ip nat inside source static tcp 192.168.10.50 3389 interface Fastethernet4 3389</P><P>Then you'll have to inspect this traffic when entering your firewall:</P><P>class-map type inspect user-remote-app-tcp</P><P>match protocol user-remote-app-tcp</P><P>no policy-map type-inspect ccp-pol-outToIn</P><P>policy-map type-inspect ccp-pol-outToIn</P><P>class type inspect user-remote-app-tcp</P><P> inspect</P><P>class type inspect CCP_PPTP</P><P> pass</P><P>class type inspect ccp-cls-ccp-pol-outToIn-1</P><P>&nbsp; pass log</P><P>class class-default</P><P>&nbsp; drop log</P><P></P><P>Regards</P><P></P><P>Alain</P><P></P><P>Don't forget to rate helpful posts.</P></BODY></HTML> Sat, 24 Aug 2013 15:17:55 GMT cadet alain 2013-08-24T15:17:55Z CCP - Advanced Firewall Creating Custom Ports Inbound Traffic https://community.cisco.com/t5/network-security/ccp-advanced-firewall-creating-custom-ports-inbound-traffic/m-p/2298850#M344006 <P>Hey folks, i desperatly need some assistance with my ISR 800 series router zone based Firewall.</P><P></P><P>The router is currently setup and routing traffic to the internet successfully.</P><P>I would like to setup a custom inbound port(TCP-3389) accessible from the internet.</P><P>Port destination termination will be an internal PC at say 192.168.1.50.</P><P></P><P>How can i accomplish this using CPP or console.</P><P></P><P>I have already defined the port to application mapping using CPP. however the firewall is recording the following syslog message:</P><P></P><P></P><P></P><P></P><P>%FW-6-DROP_PKT: Dropping udp session 24.76.164.168:13925 192.168.1.50:3389&nbsp; on zone-pair ccp-zp-out-zone-To-in-zone class class-default due to DROP action&nbsp; found in policy-map with ip ident 0 </P><P></P><P>Any assistance is greatly appreciated</P><P></P><P></P><P></P><P>If full config is required&nbsp; to assist please let me know.</P> Tue, 12 Mar 2019 02:30:25 GMT https://community.cisco.com/t5/network-security/ccp-advanced-firewall-creating-custom-ports-inbound-traffic/m-p/2298850#M344006 sshsolutions 2019-03-12T02:30:25Z CCP - Advanced Firewall Creating Custom Ports Inbound Traffic https://community.cisco.com/t5/network-security/ccp-advanced-firewall-creating-custom-ports-inbound-traffic/m-p/2298851#M344008 <HTML><HEAD></HEAD><BODY><P>When using CCP generalyy you would follow the proceudre starting on page 485 here:</P><P></P><P><A href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_configuration_professional/v2_7/olh/ccp.pdf">http://www.cisco.com/en/US/docs/net_mgmt/cisco_configuration_professional/v2_7/olh/ccp.pdf</A></P><P></P><P>If that didn't work for you, please share your class-maps policy-maps and zone-pairs sections so we can have a look at what is failing.</P><P></P><P>We look for:</P><P></P><P>1. The traffic is classified in a class-map</P><P>2. The policy-map passes the classified traffic</P><P>3. The zone-pair applies that policy-map</P></BODY></HTML> Sat, 24 Aug 2013 03:53:21 GMT https://community.cisco.com/t5/network-security/ccp-advanced-firewall-creating-custom-ports-inbound-traffic/m-p/2298851#M344008 Marvin Rhoads 2013-08-24T03:53:21Z Re: CCP - Advanced Firewall Creating Custom Ports Inbound Traffi https://community.cisco.com/t5/network-security/ccp-advanced-firewall-creating-custom-ports-inbound-traffic/m-p/2298852#M344017 <HTML><HEAD></HEAD><BODY><P>Thanks for your response.</P><P></P><P>Pardon my ignorance! how can i export this info from the CCP interface to share? In lue of that procedure, i have provided the full config below.</P><P></P><P>Building configuration...</P><P></P><P>Current configuration : 22564 bytes</P><P></P><P>!</P><P></P><P>! Last configuration change at 18:05:26 UTC Fri Aug 23 2013 by sshs</P><P></P><P>! NVRAM config last updated at 18:05:26 UTC Fri Aug 23 2013 by sshs</P><P></P><P>! NVRAM config last updated at 18:05:26 UTC Fri Aug 23 2013 by sshs</P><P></P><P>version 15.3</P><P></P><P>no service pad</P><P></P><P>service tcp-keepalives-in</P><P></P><P>service tcp-keepalives-out</P><P></P><P>service timestamps debug datetime msec localtime show-timezone</P><P></P><P>service timestamps log datetime msec localtime show-timezone</P><P></P><P>service password-encryption</P><P></P><P>service sequence-numbers</P><P></P><P>!</P><P></P><P>hostname 881W-SSHS-R1</P><P></P><P>!</P><P></P><P>boot-start-marker</P><P></P><P>boot system flash:c880data-universalk9-mz.153-1.T.bin</P><P></P><P>boot-end-marker</P><P></P><P>!</P><P></P><P>!</P><P></P><P>security authentication failure rate 3 log</P><P></P><P>security passwords min-length 6</P><P></P><P>logging buffered 8192 warnings</P><P></P><P>enable secret 4 tFiAfenrBMx7/HkdLMWd3Yp19y9eWwFQw9w0LSu/IRk</P><P></P><P>enable password 7 09485B1F180B03175A</P><P></P><P>!</P><P></P><P>aaa new-model</P><P></P><P>!</P><P></P><P>!</P><P></P><P>aaa authentication login sslvpn local</P><P></P><P>!</P><P></P><P>!</P><P></P><P>!</P><P></P><P>!</P><P></P><P>!</P><P></P><P>aaa session-id common</P><P></P><P>memory-size iomem 10</P><P></P><P>clock timezone EST -5 0</P><P></P><P>clock summer-time UTC recurring</P><P></P><P>service-module wlan-ap 0 bootimage autonomous</P><P></P><P>!</P><P></P><P>crypto pki server 881-sshs-r1ca</P><P></P><P>database archive pem password 7 121D1001130518017B</P><P></P><P>issuer-name O=ssh solutions, OU=sshs support, CN=881w-sshs-r1, C=CA, ST=ON</P><P></P><P>lifetime certificate 1095</P><P></P><P>lifetime ca-certificate 1825</P><P></P><P>!</P><P></P><P>crypto pki trustpoint sshs-trustpoint</P><P></P><P>enrollment selfsigned</P><P></P><P>serial-number</P><P></P><P>subject-name CN=sshs-certificate</P><P></P><P>revocation-check crl</P><P></P><P>rsakeypair sshs-rsa-keys</P><P></P><P>!</P><P></P><P>crypto pki trustpoint 881-sshs-r1ca</P><P></P><P>revocation-check crl</P><P></P><P>rsakeypair 881-sshs-r1ca</P><P></P><P>!</P><P></P><P>!</P><P></P><P>crypto pki certificate chain sshs-trustpoint</P><P></P><P>certificate self-signed 01</P><P></P><P>&nbsp; 308201DC 30820186 A0030201 02020101 300D0609 2A864886 F70D0101 05050030</P><P></P><P>&nbsp; 4C311930 17060355 04031310 73736873 2D636572 74696669 63617465 312F3012</P><P></P><P>&nbsp; 06035504 05130B46 54583133 32353830 34593019 06092A86 4886F70D 01090216</P><P></P><P>&nbsp; 0C383831 572D5353 48532D52 31301E17 0D313330 34313332 31323334 315A170D</P><P></P><P>&nbsp; 32303031 30313030 30303030 5A304C31 19301706 03550403 13107373 68732D63</P><P></P><P>&nbsp; 65727469 66696361 7465312F 30120603 55040513 0B465458 31333235 38303459</P><P></P><P>&nbsp; 30190609 2A864886 F70D0109 02160C38 3831572D 53534853 2D523130 5C300D06</P><P></P><P>&nbsp; 092A8648 86F70D01 01010500 034B0030 48024100 C14B55D9 4B2D4124 D711B49E</P><P></P><P>&nbsp; BBCA3A9D 4EE59818 3922DF07 8D7A3901 BE32D2C5 108FD57C BEA8BEAE F1CFEDF3</P><P></P><P>&nbsp; 6D8EF395 DD4D6880 846C9995 EB25B50A DC8E2CC7 02030100 01A35330 51300F06</P><P></P><P>&nbsp; 03551D13 0101FF04 05300301 01FF301F 0603551D 23041830 16801494 EBC22041</P><P></P><P>&nbsp; 8AEC4A0C E3D4399D AD736724 1241E730 1D060355 1D0E0416 041494EB C220418A</P><P></P><P>&nbsp; EC4A0CE3 D4399DAD 73672412 41E7300D 06092A86 4886F70D 01010505 00034100</P><P></P><P>&nbsp; BCB0E36C 74CB592B C7404CA2 3028AE4A EEBC2FF9 2195BD68 E9BC5D76 00F1C26F</P><P></P><P>&nbsp; 50837DEC 99E79BF5 E5C6C634 BE507705 83F6004B 1B4971E6 EAFBBB0D B3677087</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; quit</P><P></P><P>crypto pki certificate chain 881-sshs-r1ca</P><P></P><P>certificate ca 01</P><P></P><P>&nbsp; 30820299 30820202 A0030201 02020101 300D0609 2A864886 F70D0101 04050030</P><P></P><P>&nbsp; 60310B30 09060355 04081302 4F4E310B 30090603 55040613 02434131 15301306</P><P></P><P>&nbsp; 03550403 130C3838 31772D73 7368732D 72313115 30130603 55040B13 0C737368</P><P></P><P>&nbsp; 73207375 70706F72 74311630 14060355 040A130D 73736820 736F6C75 74696F6E</P><P></P><P>&nbsp; 73301E17 0D313330 34313931 37313331 315A170D 31383034 31383137 31333131</P><P></P><P>&nbsp; 5A306031 0B300906 03550408 13024F4E 310B3009 06035504 06130243 41311530</P><P></P><P>&nbsp; 13060355 0403130C 38383177 2D737368 732D7231 31153013 06035504 0B130C73</P><P></P><P>&nbsp; 73687320 73757070 6F727431 16301406 0355040A 130D7373 6820736F 6C757469</P><P></P><P>&nbsp; 6F6E7330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100</P><P></P><P>&nbsp; BA7150D7 E4D5E06B 522A03C4 DBE95F4B C74A4BF5 D715814A 16B1D685 4873C6EB</P><P></P><P>&nbsp; 2ACF8A35 4E4B5234 90B0DE07 738D705E 70C4CEDE D10271CD 658B3939 788859C7</P><P></P><P>&nbsp; B1730801 22DD5840 9EC1FC50 0AD4D2DF C5281E5F 891550B3 873B6305 02287605</P><P></P><P>&nbsp; 80274704 700D7512 4D780096 E21A2DEE 18F76109 F1D6189B 56561E12 52E5A74B</P><P></P><P>&nbsp; 02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D</P><P></P><P>&nbsp; 0F0101FF 04040302 0186301F 0603551D 23041830 168014CD 462ED740 1B5B89EC</P><P></P><P>&nbsp; 8510BAB3 E91629AE 6C14F030 1D060355 1D0E0416 0414CD46 2ED7401B 5B89EC85</P><P></P><P>&nbsp; 10BAB3E9 1629AE6C 14F0300D 06092A86 4886F70D 01010405 00038181 000EE548</P><P></P><P>&nbsp; B5692815 E61D2086 E7B53CD4 0C077D9D 479F8F6A 9276356D FD18FBD7 FDFCE15A</P><P></P><P>&nbsp; 0224A686 F2154525 6F56CCD8 555E47EA 80C5223F A999260D 53E5AC53 A6AE6149</P><P></P><P>&nbsp; 2B28EC50 67AA35E7 3B32011B E82D0888 5D3EDCC3 28720D49 DC01ADBB 1B2B44AF</P><P></P><P>&nbsp; CFD12481 7F1D9720 4A66D59A 8A3B7BB8 287F064C 41D788DD 0552FD91 F8</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; quit</P><P></P><P>no ip source-route</P><P></P><P>!</P><P></P><P>!</P><P></P><P>!</P><P></P><P>!</P><P></P><P>ip port-map user-remote-app-tcp port tcp 3389 list 2 description remote-app</P><P></P><P>!</P><P></P><P>ip dhcp excluded-address 192.168.10.1 192.168.10.200</P><P></P><P>ip dhcp excluded-address 192.168.20.1 192.168.20.200</P><P></P><P>ip dhcp excluded-address 192.168.30.1 192.168.30.200</P><P></P><P>!</P><P></P><P>ip dhcp pool SSHS-LAN</P><P></P><P>import all</P><P></P><P>network 192.168.10.0 255.255.255.0</P><P></P><P>dns-server 192.168.10.1</P><P></P><P>default-router 192.168.10.1</P><P></P><P>domain-name sshs.local</P><P></P><P>lease 2</P><P></P><P>!</P><P></P><P>ip dhcp pool VLAN20</P><P></P><P>import all</P><P></P><P>network 192.168.20.0 255.255.255.0</P><P></P><P>dns-server 192.168.10.1</P><P></P><P>default-router 192.168.20.1</P><P></P><P>domain-name sshs.local</P><P></P><P>lease 2</P><P></P><P>!</P><P></P><P>ip dhcp pool VLAN30</P><P></P><P>import all</P><P></P><P>network 192.168.30.0 255.255.255.0</P><P></P><P>dns-server 192.168.10.1</P><P></P><P>default-router 192.168.30.1</P><P></P><P>domain-name sshs.local</P><P></P><P>lease 2</P><P></P><P>!</P><P></P><P>!</P><P></P><P>!</P><P></P><P>no ip bootp server</P><P></P><P>ip domain name sshs.local</P><P></P><P>ip host 881W-SSHS-R1 192.168.10.1</P><P></P><P>ip name-server 208.122.23.22</P><P></P><P>ip name-server 208.122.23.23</P><P></P><P>ip cef</P><P></P><P>no ipv6 cef</P><P></P><P>ipv6 multicast rpf use-bgp</P><P></P><P>!</P><P></P><P>parameter-map type protocol-info msn-servers</P><P></P><P>server name messenger.hotmail.com</P><P></P><P>server name gateway.messenger.hotmail.com</P><P></P><P>server name webmessenger.msn.com</P><P></P><P>parameter-map type protocol-info aol-servers</P><P></P><P>server name login.oscar.aol.com</P><P></P><P>server name toc.oscar.aol.com</P><P></P><P>server name oam-d09a.blue.aol.com</P><P></P><P>parameter-map type protocol-info yahoo-servers</P><P></P><P>server name scs.msg.yahoo.com</P><P></P><P>server name scsa.msg.yahoo.com</P><P></P><P>server name scsb.msg.yahoo.com</P><P></P><P>server name scsc.msg.yahoo.com</P><P></P><P>server name scsd.msg.yahoo.com</P><P></P><P>server name cs16.msg.dcn.yahoo.com</P><P></P><P>server name cs19.msg.dcn.yahoo.com</P><P></P><P>server name cs42.msg.dcn.yahoo.com</P><P></P><P>server name cs53.msg.dcn.yahoo.com</P><P></P><P>server name cs54.msg.dcn.yahoo.com</P><P></P><P>server name ads1.vip.scd.yahoo.com</P><P></P><P>server name radio1.launch.vip.dal.yahoo.com</P><P></P><P>server name in1.msg.vip.re2.yahoo.com</P><P></P><P>server name data1.my.vip.sc5.yahoo.com</P><P></P><P>server name address1.pim.vip.mud.yahoo.com</P><P></P><P>server name edit.messenger.yahoo.com</P><P></P><P>server name messenger.yahoo.com</P><P></P><P>server name http.pager.yahoo.com</P><P></P><P>server name privacy.yahoo.com</P><P></P><P>server name csa.yahoo.com</P><P></P><P>server name csb.yahoo.com</P><P></P><P>server name csc.yahoo.com</P><P></P><P>!</P><P></P><P>multilink bundle-name authenticated</P><P></P><P>license udi pid CISCO881W-GN-A-K9 sn FTX1325804Y</P><P></P><P>license boot module c880-data level advipservices</P><P></P><P>!</P><P></P><P>!</P><P></P><P>username sshs privilege 15 password 7 050F131920425A0C48</P><P></P><P>username sean secret 4 HKl1ouWejids3opAKgGPRpf0NznjhP7L/v.REW79pKc</P><P></P><P>!</P><P></P><P>!</P><P></P><P>!</P><P></P><P>!</P><P></P><P>!</P><P></P><P>ip tcp synwait-time 10</P><P></P><P>no ip ftp passive</P><P></P><P>!</P><P></P><P>class-map type inspect imap match-any ccp-app-imap</P><P></P><P>match invalid-command</P><P></P><P>class-map match-any AutoQoS-Voice-Fa4</P><P></P><P>match protocol rtp audio</P><P></P><P>class-map type inspect match-all CCP_SSLVPN</P><P></P><P>match access-group 199</P><P></P><P>class-map match-any AutoQoS-Scavenger-Fa4</P><P></P><P>match protocol bittorrent</P><P></P><P>match protocol edonkey</P><P></P><P>class-map type inspect match-any ccp-skinny-inspect</P><P></P><P>match protocol skinny</P><P></P><P>class-map type inspect match-any remote-app</P><P></P><P>match protocol Other</P><P></P><P>class-map type inspect match-all SDM_RIP_PT</P><P></P><P>match protocol router</P><P></P><P>class-map type inspect match-any bootps</P><P></P><P>match protocol bootps</P><P></P><P>class-map type inspect match-any SDM_WEBVPN</P><P></P><P>match access-group name SDM_WEBVPN</P><P></P><P>class-map type inspect match-any SDM_HTTP</P><P></P><P>match access-group name SDM_HTTP</P><P></P><P>class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices</P><P></P><P>match service any</P><P></P><P>class-map type inspect msnmsgr match-any ccp-app-msn-otherservices</P><P></P><P>match service any</P><P></P><P>class-map type inspect match-any ccp-h323nxg-inspect</P><P></P><P>match protocol h323-nxg</P><P></P><P>class-map type inspect match-any ccp-cls-icmp-access</P><P></P><P>match protocol icmp</P><P></P><P>match protocol tcp</P><P></P><P>match protocol udp</P><P></P><P>class-map type inspect match-any ccp-cls-protocol-im</P><P></P><P>match protocol ymsgr yahoo-servers</P><P></P><P>match protocol msnmsgr msn-servers</P><P></P><P>match protocol aol aol-servers</P><P></P><P>class-map type inspect aol match-any ccp-app-aol-otherservices</P><P></P><P>match service any</P><P></P><P>class-map type inspect match-all ccp-protocol-pop3</P><P></P><P>match protocol pop3</P><P></P><P>class-map type inspect match-any ccp-h225ras-inspect</P><P></P><P>match protocol h225ras</P><P></P><P>class-map match-any AutoQoS-VoIP-Remark</P><P></P><P>match ip dscp ef</P><P></P><P>match ip dscp cs3</P><P></P><P>match ip dscp af31</P><P></P><P>class-map type inspect match-any ccp-h323annexe-inspect</P><P></P><P>match protocol h323-annexe</P><P></P><P>class-map type inspect match-any ccp-cls-insp-traffic</P><P></P><P>match protocol pptp</P><P></P><P>match protocol dns</P><P></P><P>match protocol ftp</P><P></P><P>match protocol https</P><P></P><P>match protocol icmp</P><P></P><P>match protocol imap</P><P></P><P>match protocol pop3</P><P></P><P>match protocol netshow</P><P></P><P>match protocol shell</P><P></P><P>match protocol realmedia</P><P></P><P>match protocol rtsp</P><P></P><P>match protocol smtp</P><P></P><P>match protocol sql-net</P><P></P><P>match protocol streamworks</P><P></P><P>match protocol tftp</P><P></P><P>match protocol vdolive</P><P></P><P>match protocol tcp</P><P></P><P>match protocol udp</P><P></P><P>class-map type inspect match-any SDM_SSH</P><P></P><P>match access-group name SDM_SSH</P><P></P><P>class-map type inspect pop3 match-any ccp-app-pop3</P><P></P><P>match invalid-command</P><P></P><P>class-map type inspect match-any SDM_HTTPS</P><P></P><P>match access-group name SDM_HTTPS</P><P></P><P>class-map type inspect match-any bootpc_bootps</P><P></P><P>match protocol bootpc</P><P></P><P>match protocol bootps</P><P></P><P>class-map type inspect match-all SDM_GRE</P><P></P><P>match access-group name SDM_GRE</P><P></P><P>class-map type inspect match-any SDM_SHELL</P><P></P><P>match access-group name SDM_SHELL</P><P></P><P>class-map type inspect match-any ccp-h323-inspect</P><P></P><P>match protocol h323</P><P></P><P>class-map type inspect msnmsgr match-any ccp-app-msn</P><P></P><P>match service text-chat</P><P></P><P>class-map type inspect ymsgr match-any ccp-app-yahoo</P><P></P><P>match service text-chat</P><P></P><P>class-map type inspect match-all ccp-invalid-src</P><P></P><P>match access-group 100</P><P></P><P>class-map type inspect http match-any ccp-app-httpmethods</P><P></P><P>match request method bcopy</P><P></P><P>match request method bdelete</P><P></P><P>match request method bmove</P><P></P><P>match request method bpropfind</P><P></P><P>match request method bproppatch</P><P></P><P>match request method connect</P><P></P><P>match request method copy</P><P></P><P>match request method delete</P><P></P><P>match request method edit</P><P></P><P>match request method getattribute</P><P></P><P>match request method getattributenames</P><P></P><P>match request method getproperties</P><P></P><P>match request method index</P><P></P><P>match request method lock</P><P></P><P>match request method mkcol</P><P></P><P>match request method mkdir</P><P></P><P>match request method move</P><P></P><P>match request method notify</P><P></P><P>match request method options</P><P></P><P>match request method poll</P><P></P><P>match request method propfind</P><P></P><P>match request method proppatch</P><P></P><P>match request method put</P><P></P><P>match request method revadd</P><P></P><P>match request method revlabel</P><P></P><P>match request method revlog</P><P></P><P>match request method revnum</P><P></P><P>match request method save</P><P></P><P>match request method search</P><P></P><P>match request method setattribute</P><P></P><P>match request method startrev</P><P></P><P>match request method stoprev</P><P></P><P>match request method subscribe</P><P></P><P>match request method trace</P><P></P><P>match request method unedit</P><P></P><P>match request method unlock</P><P></P><P>match request method unsubscribe</P><P></P><P>class-map match-any AutoQoS-VoIP-Control-UnTrust</P><P></P><P>match access-group name AutoQoS-VoIP-Control</P><P></P><P>class-map type inspect match-any ccp-sip-inspect</P><P></P><P>match protocol sip</P><P></P><P>class-map type inspect http match-any ccp-http-blockparam</P><P></P><P>match request port-misuse im</P><P></P><P>match request port-misuse p2p</P><P></P><P>match req-resp protocol-violation</P><P></P><P>class-map type inspect aol match-any ccp-app-aol</P><P></P><P>match service text-chat</P><P></P><P>class-map type inspect match-all ccp-protocol-imap</P><P></P><P>match protocol imap</P><P></P><P>class-map match-any AutoQoS-VoIP-RTP-UnTrust</P><P></P><P>match protocol rtp audio</P><P></P><P>match access-group name AutoQoS-VoIP-RTCP</P><P></P><P>class-map type inspect http match-any ccp-http-allowparam</P><P></P><P>match request port-misuse tunneling</P><P></P><P>class-map type inspect match-all ccp-protocol-http</P><P></P><P>match protocol http</P><P></P><P>class-map type inspect match-any sdm-cls-access</P><P></P><P>match class-map SDM_HTTPS</P><P></P><P>match class-map SDM_SSH</P><P></P><P>match class-map SDM_SHELL</P><P></P><P>class-map type inspect match-any CCP_PPTP</P><P></P><P>match class-map SDM_GRE</P><P></P><P>class-map type inspect match-all SDM_WEBVPN_TRAFFIC</P><P></P><P>match class-map SDM_WEBVPN</P><P></P><P>match access-group 102</P><P></P><P>class-map type inspect match-all ccp-cls-ccp-permit-icmpreply-1</P><P></P><P>match class-map bootps</P><P></P><P>match access-group name boops-DHCP</P><P></P><P>class-map type inspect match-all ccp-insp-traffic</P><P></P><P>match class-map ccp-cls-insp-traffic</P><P></P><P>class-map type inspect match-all ccp-cls-ccp-permit-1</P><P></P><P>match class-map bootpc_bootps</P><P></P><P>match access-group name DHCP-Request</P><P></P><P>class-map type inspect match-any SDM_CA_SERVER</P><P></P><P>match class-map SDM_HTTPS</P><P></P><P>match class-map SDM_HTTP</P><P></P><P>class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1</P><P></P><P>match class-map uremote-app</P><P></P><P>match access-group name remote-app</P><P></P><P>class-map type inspect match-all ccp-protocol-im</P><P></P><P>match class-map ccp-cls-protocol-im</P><P></P><P>class-map type inspect match-all ccp-icmp-access</P><P></P><P>match class-map ccp-cls-icmp-access</P><P></P><P>class-map type inspect match-all sdm-access</P><P></P><P>match class-map sdm-cls-access</P><P></P><P>match access-group 101</P><P></P><P>!</P><P></P><P>policy-map type inspect pop3 ccp-action-pop3</P><P></P><P>class type inspect pop3 ccp-app-pop3</P><P></P><P>&nbsp; log</P><P></P><P>policy-map type inspect im ccp-action-app-im</P><P></P><P>class type inspect aol ccp-app-aol</P><P></P><P>&nbsp; log</P><P></P><P>&nbsp; allow</P><P></P><P>class type inspect msnmsgr ccp-app-msn</P><P></P><P>&nbsp; log</P><P></P><P>&nbsp; allow</P><P></P><P>class type inspect ymsgr ccp-app-yahoo</P><P></P><P>&nbsp; log</P><P></P><P>&nbsp; allow</P><P></P><P>class type inspect aol ccp-app-aol-otherservices</P><P></P><P>&nbsp; log</P><P></P><P>class type inspect msnmsgr ccp-app-msn-otherservices</P><P></P><P>&nbsp; log</P><P></P><P>class type inspect ymsgr ccp-app-yahoo-otherservices</P><P></P><P>&nbsp; log</P><P></P><P>policy-map type inspect ccp-pol-outToIn</P><P></P><P>class type inspect CCP_PPTP</P><P></P><P>&nbsp; pass</P><P></P><P>class type inspect ccp-cls-ccp-pol-outToIn-1</P><P></P><P>&nbsp; pass log</P><P></P><P>class class-default</P><P></P><P>&nbsp; drop log</P><P></P><P>policy-map type inspect imap ccp-action-imap</P><P></P><P>class type inspect imap ccp-app-imap</P><P></P><P>&nbsp; log</P><P></P><P>policy-map AutoQoS-Policy-Fa4</P><P></P><P>class AutoQoS-Voice-Fa4</P><P></P><P>&nbsp; priority percent 1</P><P></P><P>&nbsp; set dscp ef</P><P></P><P>class AutoQoS-Scavenger-Fa4</P><P></P><P>&nbsp; bandwidth remaining percent 1</P><P></P><P>&nbsp; set dscp cs1</P><P></P><P>class class-default</P><P></P><P>&nbsp; fair-queue</P><P></P><P>policy-map AutoQoS-Policy-UnTrust</P><P></P><P>class AutoQoS-VoIP-RTP-UnTrust</P><P></P><P>&nbsp; priority percent 70</P><P></P><P>&nbsp; set dscp ef</P><P></P><P>class AutoQoS-VoIP-Control-UnTrust</P><P></P><P>&nbsp; bandwidth percent 5</P><P></P><P>&nbsp; set dscp af31</P><P></P><P>class AutoQoS-VoIP-Remark</P><P></P><P>&nbsp; set dscp default</P><P></P><P>class class-default</P><P></P><P>&nbsp; fair-queue</P><P></P><P>policy-map type inspect http ccp-action-app-http</P><P></P><P>class type inspect http ccp-http-blockparam</P><P></P><P>&nbsp; log</P><P></P><P>class type inspect http ccp-app-httpmethods</P><P></P><P>&nbsp; log</P><P></P><P>class type inspect http ccp-http-allowparam</P><P></P><P>&nbsp; log</P><P></P><P>&nbsp; allow</P><P></P><P>policy-map type inspect ccp-inspect</P><P></P><P>class type inspect ccp-invalid-src</P><P></P><P>&nbsp; drop log</P><P></P><P>class type inspect ccp-protocol-http</P><P></P><P>&nbsp; inspect</P><P></P><P>&nbsp; service-policy http ccp-action-app-http</P><P></P><P>class type inspect ccp-protocol-imap</P><P></P><P>&nbsp; inspect</P><P></P><P>&nbsp; service-policy imap ccp-action-imap</P><P></P><P>class type inspect ccp-protocol-pop3</P><P></P><P>&nbsp; inspect</P><P></P><P>&nbsp; service-policy pop3 ccp-action-pop3</P><P></P><P>class type inspect ccp-protocol-im</P><P></P><P>&nbsp; inspect</P><P></P><P>&nbsp; service-policy im ccp-action-app-im</P><P></P><P>class type inspect ccp-insp-traffic</P><P></P><P>&nbsp; inspect</P><P></P><P>class type inspect ccp-sip-inspect</P><P></P><P>&nbsp; inspect</P><P></P><P>class type inspect ccp-h323-inspect</P><P></P><P>&nbsp; inspect</P><P></P><P>class type inspect ccp-h323annexe-inspect</P><P></P><P>&nbsp; inspect</P><P></P><P>class type inspect ccp-h225ras-inspect</P><P></P><P>&nbsp; inspect</P><P></P><P>class type inspect ccp-h323nxg-inspect</P><P></P><P>&nbsp; inspect</P><P></P><P>class type inspect ccp-skinny-inspect</P><P></P><P>&nbsp; inspect</P><P></P><P>class class-default</P><P></P><P>&nbsp; drop</P><P></P><P>policy-map type inspect ccp-sslvpn-pol</P><P></P><P>class type inspect CCP_SSLVPN</P><P></P><P>&nbsp; pass</P><P></P><P>class class-default</P><P></P><P>&nbsp; drop</P><P></P><P>policy-map type inspect ccp-permit</P><P></P><P>class type inspect SDM_CA_SERVER</P><P></P><P>&nbsp; inspect</P><P></P><P>class type inspect ccp-cls-ccp-permit-1</P><P></P><P>&nbsp; pass log</P><P></P><P>class type inspect SDM_WEBVPN_TRAFFIC</P><P></P><P>&nbsp; inspect</P><P></P><P>class type inspect sdm-access</P><P></P><P>&nbsp; inspect</P><P></P><P>class type inspect SDM_RIP_PT</P><P></P><P>&nbsp; pass</P><P></P><P>class class-default</P><P></P><P>&nbsp; drop</P><P></P><P>policy-map type inspect ccp-permit-icmpreply</P><P></P><P>class type inspect ccp-cls-ccp-permit-icmpreply-1</P><P></P><P>&nbsp; pass log</P><P></P><P>class type inspect ccp-icmp-access</P><P></P><P>&nbsp; inspect</P><P></P><P>class class-default</P><P></P><P>&nbsp; pass</P><P></P><P>!</P><P></P><P>zone security out-zone</P><P></P><P>zone security in-zone</P><P></P><P>zone security sslvpn-zone</P><P></P><P>zone-pair security ccp-zp-self-out source self destination out-zone</P><P></P><P>service-policy type inspect ccp-permit-icmpreply</P><P></P><P>zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone</P><P></P><P>service-policy type inspect ccp-pol-outToIn</P><P></P><P>zone-pair security ccp-zp-in-out source in-zone destination out-zone</P><P></P><P>service-policy type inspect ccp-inspect</P><P></P><P>zone-pair security ccp-zp-out-self source out-zone destination self</P><P></P><P>service-policy type inspect ccp-permit</P><P></P><P>zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone</P><P></P><P>service-policy type inspect ccp-sslvpn-pol</P><P></P><P>zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone</P><P></P><P>service-policy type inspect ccp-sslvpn-pol</P><P></P><P>zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone</P><P></P><P>service-policy type inspect ccp-sslvpn-pol</P><P></P><P>zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone</P><P></P><P>service-policy type inspect ccp-sslvpn-pol</P><P></P><P>csdb tcp synwait-time 30</P><P></P><P>csdb tcp idle-time 3600</P><P></P><P>csdb tcp finwait-time 5</P><P></P><P>csdb tcp reassembly max-memory 1024</P><P></P><P>csdb tcp reassembly max-queue-length 16</P><P></P><P>csdb udp idle-time 30</P><P></P><P>csdb icmp idle-time 10</P><P></P><P>csdb session max-session 65535</P><P></P><P>!</P><P></P><P>!</P><P></P><P>!</P><P></P><P>!</P><P></P><P>!</P><P></P><P>!</P><P></P><P>!</P><P></P><P>!</P><P></P><P>!</P><P></P><P>interface Null0</P><P></P><P>no ip unreachables</P><P></P><P>!</P><P></P><P>interface FastEthernet0</P><P></P><P>description LAN</P><P></P><P>switchport mode trunk</P><P></P><P>no ip address</P><P></P><P>!</P><P></P><P>interface FastEthernet1</P><P></P><P>description Not in Use</P><P></P><P>no ip address</P><P></P><P>!</P><P></P><P>interface FastEthernet2</P><P></P><P>description Trunk to 861W-SSHS-R1</P><P></P><P>switchport mode trunk</P><P></P><P>no ip address</P><P></P><P>auto discovery qos</P><P></P><P>!</P><P></P><P>interface FastEthernet3</P><P></P><P>description VoIP</P><P></P><P>switchport access vlan 30</P><P></P><P>no ip address</P><P></P><P>service-policy output AutoQoS-Policy-UnTrust</P><P></P><P>!</P><P></P><P>interface FastEthernet4</P><P></P><P>description WAN$ETH-WAN$$FW_OUTSIDE$</P><P></P><P>ip ddns update hostname xxx.xxxx.org</P><P></P><P>ip address dhcp client-id FastEthernet4</P><P></P><P>no ip redirects</P><P></P><P>no ip proxy-arp</P><P></P><P>ip flow ingress</P><P></P><P>ip nat outside</P><P></P><P>ip virtual-reassembly in</P><P></P><P>zone-member security out-zone</P><P></P><P>duplex auto</P><P></P><P>speed auto</P><P></P><P>auto qos</P><P></P><P>service-policy output AutoQoS-Policy-Fa4</P><P></P><P>!</P><P></P><P>interface Virtual-Template1</P><P></P><P>ip unnumbered Vlan1</P><P></P><P>no ip redirects</P><P></P><P>no ip proxy-arp</P><P></P><P>ip flow ingress</P><P></P><P>zone-member security sslvpn-zone</P><P></P><P>!</P><P></P><P>interface wlan-ap0</P><P></P><P>description Service module interface to manage the embedded AP</P><P></P><P>ip unnumbered Vlan1</P><P></P><P>no ip redirects</P><P></P><P>no ip proxy-arp</P><P></P><P>ip flow ingress</P><P></P><P>arp timeout 0</P><P></P><P>!</P><P></P><P>interface Wlan-GigabitEthernet0</P><P></P><P>description Internal switch interface connecting to the embedded AP</P><P></P><P>switchport mode trunk</P><P></P><P>no ip address</P><P></P><P>!</P><P></P><P>interface Vlan1</P><P></P><P>description SSHS Default LAN$FW_INSIDE$</P><P></P><P>ip address 192.168.10.1 255.255.255.0</P><P></P><P>no ip redirects</P><P></P><P>no ip proxy-arp</P><P></P><P>ip flow ingress</P><P></P><P>ip nat inside</P><P></P><P>ip virtual-reassembly in</P><P></P><P>zone-member security in-zone</P><P></P><P>!</P><P></P><P>interface Vlan20</P><P></P><P>description $FW_INSIDE$</P><P></P><P>ip address 192.168.20.1 255.255.255.0</P><P></P><P>no ip redirects</P><P></P><P>no ip proxy-arp</P><P></P><P>ip flow ingress</P><P></P><P>zone-member security in-zone</P><P></P><P>!</P><P></P><P>interface Vlan30</P><P></P><P>description $FW_INSIDE$</P><P></P><P>ip address 192.168.30.1 255.255.255.0</P><P></P><P>no ip redirects</P><P></P><P>no ip proxy-arp</P><P></P><P>ip flow ingress</P><P></P><P>ip nat inside</P><P></P><P>ip virtual-reassembly in</P><P></P><P>zone-member security in-zone</P><P></P><P>!</P><P></P><P>interface Dialer0</P><P></P><P>description PPPoA Dialer for Int ATM0$FW_INSIDE$</P><P></P><P>ip address negotiated</P><P></P><P>ip access-group aclInternetInbound in</P><P></P><P>no ip redirects</P><P></P><P>no ip unreachables</P><P></P><P>no ip proxy-arp</P><P></P><P>ip mtu 1492</P><P></P><P>ip flow ingress</P><P></P><P>ip nat outside</P><P></P><P>ip virtual-reassembly in</P><P></P><P>zone-member security in-zone</P><P></P><P>encapsulation ppp</P><P></P><P>dialer pool 1</P><P></P><P>ppp authentication chap callin</P><P></P><P>ppp chap hostname SSHS-CHAP</P><P></P><P>ppp chap password 7 045F1E100E2F584B</P><P></P><P>ppp ipcp dns request accept</P><P></P><P>ppp ipcp route default</P><P></P><P>ppp ipcp address accept</P><P></P><P>!</P><P></P><P>router rip</P><P></P><P>network 192.168.10.0</P><P></P><P>network 192.168.20.0</P><P></P><P>network 192.168.30.0</P><P></P><P>!</P><P></P><P>ip local pool sslvpn-pool 192.168.10.190 192.168.10.199</P><P></P><P>ip forward-protocol nd</P><P></P><P>ip http server</P><P></P><P>ip http authentication local</P><P></P><P>ip http secure-server</P><P></P><P>!</P><P></P><P>!</P><P></P><P>ip dns server</P><P></P><P>ip nat inside source list 1 interface FastEthernet4 overload</P><P></P><P>ip nat inside source list 199 interface FastEthernet4 overload</P><P></P><P>ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp</P><P></P><P>!</P><P></P><P>ip access-list extended AutoQoS-VoIP-Control</P><P></P><P>permit tcp any any eq 1720</P><P></P><P>permit tcp any any range 11000 11999</P><P></P><P>permit udp any any eq 2427</P><P></P><P>permit tcp any any eq 2428</P><P></P><P>permit tcp any any range 2000 2002</P><P></P><P>permit udp any any eq 1719</P><P></P><P>permit udp any any eq 5060</P><P></P><P>ip access-list extended AutoQoS-VoIP-RTCP</P><P></P><P>permit udp any any range 16384 32767</P><P></P><P>ip access-list extended DHCP-Request</P><P></P><P>remark CCP_ACL Category=128</P><P></P><P>permit ip any any</P><P></P><P>ip access-list extended SDM_GRE</P><P></P><P>remark CCP_ACL Category=1</P><P></P><P>permit gre any any log</P><P></P><P>ip access-list extended SDM_HTTP</P><P></P><P>remark CCP_ACL Category=1</P><P></P><P>permit tcp any any eq www log</P><P></P><P>ip access-list extended SDM_HTTPS</P><P></P><P>remark CCP_ACL Category=1</P><P></P><P>permit tcp any any eq 443 log</P><P></P><P>ip access-list extended SDM_SHELL</P><P></P><P>remark CCP_ACL Category=1</P><P></P><P>permit tcp any any eq cmd</P><P></P><P>ip access-list extended SDM_SSH</P><P></P><P>remark CCP_ACL Category=1</P><P></P><P>permit tcp any any eq 22 log</P><P></P><P>ip access-list extended SDM_WEBVPN</P><P></P><P>remark CCP_ACL Category=1</P><P></P><P>permit tcp any any eq 443 log</P><P></P><P>ip access-list extended remote-app</P><P></P><P>remark CCP_ACL Category=128</P><P></P><P>permit ip any host 192.168.10.50</P><P></P><P>ip access-list extended boops-DHCP</P><P></P><P>remark CCP_ACL Category=128</P><P></P><P>permit ip any any</P><P></P><P>!</P><P></P><P>logging host 192.168.10.50</P><P></P><P>!</P><P></P><P>access-list 1 permit 0.0.0.0 255.255.255.0</P><P></P><P>access-list 2 remark CCP_ACL Category=1</P><P></P><P>access-list 2 permit 192.168.10.50</P><P></P><P>access-list 100 remark CCP_ACL Category=128</P><P></P><P>access-list 100 permit ip host 255.255.255.255 any</P><P></P><P>access-list 100 permit ip 127.0.0.0 0.255.255.255 any</P><P></P><P>access-list 100 permit ip 192.168.1.0 0.0.0.255 any</P><P></P><P>access-list 101 remark CCP_ACL Category=128</P><P></P><P>access-list 101 permit ip 192.168.1.0 0.0.0.255 any</P><P></P><P>access-list 199 permit ip any any</P><P></P><P>!</P><P></P><P>!</P><P></P><P>!</P><P></P><P>control-plane</P><P></P><P>!</P><P></P><P>rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS</P><P></P><P>!</P><P></P><P>banner login ^C No Unauthorize access, all unauthorize users will be terminated at WILL! Enter user name and password to continue</P><P></P><P>^C</P><P></P><P>banner motd ^C This router is designated as the primary router in the SSHS LAN ^C</P><P></P><P>!</P><P></P><P>line con 0</P><P></P><P>password 7 06021A374D401D1C54</P><P></P><P>logging synchronous</P><P></P><P>no modem enable</P><P></P><P>transport output telnet</P><P></P><P>line aux 0</P><P></P><P>password 7 06021A374D401D1C54</P><P></P><P>transport output telnet</P><P></P><P>line 2</P><P></P><P>no activation-character</P><P></P><P>no exec</P><P></P><P>transport preferred none</P><P></P><P>transport input all</P><P></P><P>line vty 0 4</P><P></P><P>privilege level 15</P><P></P><P>password 7 130102040A02102F7A</P><P></P><P>length 0</P><P></P><P>transport input telnet ssh</P><P></P><P>transport output telnet ssh</P><P></P><P>!</P><P></P><P>scheduler interval 500</P><P></P><P>ntp master</P><P></P><P>ntp update-calendar</P><P></P><P>ntp server nist1-ny.ustiming.org prefer</P><P></P><P>!</P><P></P><P>!</P><P></P><P>webvpn gateway sshs-WebVPN-Gateway</P><P></P><P>ip interface FastEthernet4 port 443</P><P></P><P>ssl encryption rc4-md5</P><P></P><P>ssl trustpoint sshs-trustpoint</P><P></P><P>inservice</P><P></P><P>!</P><P></P><P>webvpn context sshs-WebVPN</P><P></P><P>secondary-color white</P><P></P><P>title-color #669999</P><P></P><P>text-color black</P><P></P><P>!</P><P></P><P>acl "ssl-acl"</P><P></P><P>&nbsp;&nbsp; permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0</P><P></P><P>aaa authentication list sslvpn</P><P></P><P>gateway sshs-WebVPN-Gateway</P><P></P><P>max-users 4</P><P></P><P>!</P><P></P><P>ssl authenticate verify all</P><P></P><P>!</P><P></P><P>url-list "rewrite"</P><P></P><P>inservice</P><P></P><P>!</P><P></P><P>policy group sshs-webvpnpolicy</P><P></P><P>&nbsp;&nbsp; functions svc-enabled</P><P></P><P>&nbsp;&nbsp; filter tunnel ssl-acl</P><P></P><P>&nbsp;&nbsp; svc address-pool "webvpnpool" netmask 255.255.255.0</P><P></P><P>&nbsp;&nbsp; svc rekey method new-tunnel</P><P></P><P>&nbsp;&nbsp; svc split include 192.168.0.0 255.255.255.0</P><P></P><P>default-group-policy sshs-webvpnpolicy</P><P></P><P>!</P><P></P><P>end</P></BODY></HTML> Sat, 24 Aug 2013 04:19:23 GMT https://community.cisco.com/t5/network-security/ccp-advanced-firewall-creating-custom-ports-inbound-traffic/m-p/2298852#M344017 sshsolutions 2013-08-24T04:19:23Z CCP - Advanced Firewall Creating Custom Ports Inbound Traffic https://community.cisco.com/t5/network-security/ccp-advanced-firewall-creating-custom-ports-inbound-traffic/m-p/2298853#M344018 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>So you want to port forward TCP 3389 to 192.168.10.50&nbsp; ?</P><P>If so then first you must have a static PAT statement:</P><P>ip nat inside source static tcp 192.168.10.50 3389 interface Fastethernet4 3389</P><P>Then you'll have to inspect this traffic when entering your firewall:</P><P>class-map type inspect user-remote-app-tcp</P><P>match protocol user-remote-app-tcp</P><P>no policy-map type-inspect ccp-pol-outToIn</P><P>policy-map type-inspect ccp-pol-outToIn</P><P>class type inspect user-remote-app-tcp</P><P> inspect</P><P>class type inspect CCP_PPTP</P><P> pass</P><P>class type inspect ccp-cls-ccp-pol-outToIn-1</P><P>&nbsp; pass log</P><P>class class-default</P><P>&nbsp; drop log</P><P></P><P>Regards</P><P></P><P>Alain</P><P></P><P>Don't forget to rate helpful posts.</P></BODY></HTML> Sat, 24 Aug 2013 15:17:55 GMT https://community.cisco.com/t5/network-security/ccp-advanced-firewall-creating-custom-ports-inbound-traffic/m-p/2298853#M344018 cadet alain 2013-08-24T15:17:55Z Re: CCP - Advanced Firewall Creating Custom Ports Inbound Traffi https://community.cisco.com/t5/network-security/ccp-advanced-firewall-creating-custom-ports-inbound-traffic/m-p/2298854#M344019 <HTML><HEAD></HEAD><BODY><P>Cadet's recommendation looks on the mark. I recommend following it.</P><P></P><P>BTW, you cannot easily share from CCP directly - the configuraiton you posted does the job.</P><P></P><P>Regards,</P><P></P><P>- Marvin</P></BODY></HTML> Sat, 24 Aug 2013 22:28:56 GMT https://community.cisco.com/t5/network-security/ccp-advanced-firewall-creating-custom-ports-inbound-traffic/m-p/2298854#M344019 Marvin Rhoads 2013-08-24T22:28:56Z Re: CCP - Advanced Firewall Creating Custom Ports Inbound Traffi https://community.cisco.com/t5/network-security/ccp-advanced-firewall-creating-custom-ports-inbound-traffic/m-p/2298855#M344020 <HTML><HEAD></HEAD><BODY><P>Thanks Cadet for your assistance, i will test the change and report back.</P></BODY></HTML> Mon, 26 Aug 2013 03:57:19 GMT https://community.cisco.com/t5/network-security/ccp-advanced-firewall-creating-custom-ports-inbound-traffic/m-p/2298855#M344020 sshsolutions 2013-08-26T03:57:19Z Re: CCP - Advanced Firewall Creating Custom Ports Inbound Traffi https://community.cisco.com/t5/network-security/ccp-advanced-firewall-creating-custom-ports-inbound-traffic/m-p/2298856#M344022 <HTML><HEAD></HEAD><BODY><P>Appreciate the help Marvin. I will try the recommendation provided earlier and report back.</P><P></P><P>Thanks</P></BODY></HTML> Mon, 26 Aug 2013 03:58:29 GMT https://community.cisco.com/t5/network-security/ccp-advanced-firewall-creating-custom-ports-inbound-traffic/m-p/2298856#M344022 sshsolutions 2013-08-26T03:58:29Z