topic ZBFW for user defined ports in Network Security

ZBFW for user defined ports

tduchcherer — Mon, 11 Mar 2019 20:46:58 GMT

We are just setting up a 2821 with ZBFW for our servers.

For simplicity we have only defined in-zone and out-zone.

All works fine for traffic such as HTTP, FTP, Email, etc. We NAT these to different servers and all is great.

Now we have to forward some ports that are not defined by Cisco, for example Microsoft Remote Desktop.

Using CCP, we have done the following:

Port to Application Mappings

user-rdp3389 tcp 3389

Firewall Policy (out-zone to in-zone)

any -> 10.0.10.96 service user-rdp3389 Inspect

This creates:

ip nat inside source static 10.0.10.96 nnn.nnn.nnn.nnn

ip port-map user-rdp3389 port tcp 3389

class-map type inspect match-any datacenter_services

match protocol user-rdp3389

class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-19

match class-map datacenter_services

match access-group name datacenter

ip access-list extended datacenter

remark CCP_ACL Category=128

permit ip any host 10.0.10.96

The config for http traffic to another server looks almost exactly the same, but of course matching http traffic and works fine.

The config for RDP port 3389 however, does not work at all.

We are new to the ZBFW, so desperately need help with this.

Thanks in Advance;

Terry

ZBFW for user defined ports

Jennifer Halim — Sun, 19 Jun 2011 02:36:40 GMT

You don't need to configure PAM (Port Address Mapping) as you are not mapping the default port to a different port.

For RDP you are using the default port 3389, so all you need to configure on the router is:

1) Static NAT (or static PAT if you are just NATing port)

2) ZBFW configure to match that traffic.

Please kindly share the router configuration, and also what IP Address you would like to NAT the RDP server to, and we can help.

Re: ZBFW for user defined ports

tduchcherer — Sun, 19 Jun 2011 13:59:35 GMT

Except that there is no default map for RDP

Platform Cisco 2821 12.4(22)T5

show ip port-map has no entry for port 3389, hence why I am trying to define a user-rdp = 3389

As an experiment, I remapped pcanywheredata that is normally on port 5631 to 3389 and made a rule using pcanywheredata, and it worked. But strangely, only for one server and I need several forwards.

I also have a need to forward port12010, 12011, and 9854 through to servers. Again there is no default for these ports so a user- map would be required.

Any time I make a user defined port-map, I cannot seem to forward the port through the firewall.

ZBFW for user defined ports

Jennifer Halim — Mon, 20 Jun 2011 00:58:29 GMT

As advised earlier, port map function is to map a non default port to the application specific, eg: HTTP default port is port 80, and if you are running HTTP on different port and would like to inspect it as if it's a HTTP traffic, then you would configure port map to map the non default port to HTTP.

What you are trying to achieve is just NATing RDP traffic so you can have access from the Internet (outside). What you would need to configure is not port map, but NAT and ZBFW inspection.

If you share a copy of "show run", we can help you to configure specifics for RDP (and please also advise what IP Address you would like to NAT the RDP to).

ZBFW for user defined ports

cadet alain — Tue, 21 Jun 2011 10:34:04 GMT

Hi,

Don't forget RDP is working with UDP/TCP and you should use static PAT and not static NAT as you did.

Regards.

Alain.