Need Help with Port Forwarding (ZBFW) on my 881W

jaesposito · ‎12-28-2011

All,

I need to update my Cisco 881W config to allow port forwarding FROM the Internet TO the following inside device as follows:

IP Address: 192.168.1.254

Protocol: TCP/UDP

Port: 5001

This device is a Slingbox Pro-HD and I want to be able to view it from the Internet.

Attached is a copy of my 881W config. I am horrible at properly configuring my zone based firewall (ZBFW) config, which is why I desperately need help. I appreciate the help from this forum!

Thanks very much!

James E

Julio Carvajal · ‎12-28-2011

Hello Jaesposito,

-First thing to say here is that you want to allow inbound access to one ip address on the inside, so you will need to do a static port forwarding for each port:

ip nat inside source static tcp 192.168.1.254 5001 interface Dialer0 5001

-Second thing: As you know we are going to try to access from the outside to the inside so we need to create a new zone-pair and their respective policies

ip access-list extended Slingbox_access

permit tcp any host x.x.x.x (dialer0 ip) eq 5001

permit udp any host x.x.x.x (dialer0 ip) eq 5001

class-map type inspect ccp-Slingbox

match access-group Slingbox_access

policy-map type inspect ccp-Slingbox-access-in

class type inspect ccp-Slingbox

inspect

zone-pair security ccp-zp-out-in source outside destination inside

service-policy type inspect ccp-Slingbox-access-in

Please let me know the result of this.

Do please rate helpful posts!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jaesposito · ‎12-28-2011

Julio,

Thanks for the response. I have two questions about your recommended config changes:

1.) Did you mean to indicate "udp" in the second "ip nat" statement? You listed TCP twice and I just want to confirm that this

was a simple typo.

2.) With regards to the extended access-list, the public ip address on my Dialer0 interface is NOT static. It changes anytime my modem restarts. So this approach will be problematic if my modem restarts and thereby makes my ip forwarding config useless. Any ideas on how to work around this?

Thanks for the help!

James

Julio Carvajal · ‎12-28-2011

Hello Jae,

1- Just a typo, I am sorry it got to be UDP

2- Do not pay attention to the ACL, I do not know what I was thinking ( today was a really long day)

This is the ACL you need to have there:

ip access-list extended Slingbox_access

permit tcp any host 192.168.1.254 eq 5001

permit udp any host 192.168.1.254 eq 5001

This because Nat goes first than ZBFW.

Do please rate helpful posts.

Let me know the result of the changes,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jaesposito · ‎12-29-2011

I got an error message after inputting the "class access-group" line. Here was the input leading up to the error message:

Pinecrest-rtr(config)#ip access-list extended Slingbox_access

Pinecrest-rtr(config-ext-nacl)#permit tcp any host 192.168.1.254 eq 5001

Pinecrest-rtr(config-ext-nacl)#permit udp any host 192.168.1.254 eq 5001

Pinecrest-rtr(config-ext-nacl)#exit

Pinecrest-rtr(config)#class-map type inspect ccp-Slingbox

Pinecrest-rtr(config-cmap)#match access-group Slingbox_access

^

% Invalid input detected at '^' marker.

Pinecrest-rtr(config-cmap)#

Any idea what is wrong with the config leading up to this error message?

Thanks,

James

Julio Carvajal · ‎12-29-2011

Hello Jae,

Pinecrest-rtr(config)#class-map type inspect ccp-Slingbox

Pinecrest-rtr(config-cmap)#match access-group name Slingbox_access

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jaesposito · ‎12-29-2011

OK. It looks like we are down to one error message now. Here is the last one:

Pinecrest-rtr#config t
Enter configuration commands, one per line. End with CNTL/Z.
Pinecrest-rtr(config)#$static tcp 192.168.1.254 5001 interface Dialer0 5001
Pinecrest-rtr(config)#$static tcp 192.168.1.254 5001 interface Dialer0 5001
Pinecrest-rtr(config)#
Pinecrest-rtr(config)#ip access-list extended Slingbox_access
Pinecrest-rtr(config-ext-nacl)#permit tcp any host 192.168.1.254 eq 5001
Pinecrest-rtr(config-ext-nacl)#permit udp any host 192.168.1.254 eq 5001
Pinecrest-rtr(config-ext-nacl)#
Pinecrest-rtr(config-ext-nacl)#class-map type inspect ccp-Slingbox
Pinecrest-rtr(config-cmap)#match access-group name Slingbox_access
Pinecrest-rtr(config-cmap)#
Pinecrest-rtr(config-cmap)#
Pinecrest-rtr(config-cmap)#policy-map type inspect ccp-Slingbox-access-in
Pinecrest-rtr(config-pmap)#class type inspect ccp-Slingbox
Pinecrest-rtr(config-pmap-c)#inspect
Pinecrest-rtr(config-pmap-c)#
Pinecrest-rtr(config-pmap-c)#
Pinecrest-rtr(config-pmap-c)#$ice-policy type inspect ccp-Slingbox-access-in
zone-pair security ccp-zp-out-in source outside destination inside service-polic ^y type inspect ccp-Slingbox-access-in

% Invalid input detected at '^' marker.

Pinecrest-rtr(config-pmap-c)#

Any ideas?

James

Julio Carvajal · ‎12-29-2011

Hello Jae,

On configuration mode please add the following two commands:

zone-pair security ccp-zp-out-in source outside destination inside

service-policy type inspect ccp-Slingbox-access-in

It should work

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jaesposito · ‎12-29-2011

Do I use these two new lines in replacement of OR in addition to the last "zone-pair" config line?

zone-pair security ccp-zp-out-in source outside destination inside service-policy type inspect ccp-slingbox-access-in

Please clarify. Thanks.

James

Julio Carvajal · ‎12-29-2011

They are two different lines , not one, that is why was not accepted.

zone-pair security ccp-zp-out-in source outside destination inside

service-policy type inspect ccp-Slingbox-access-in

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC