- Cisco Community
- Technology and Support
- Security
- Network Security
- Allowing RDP through ZBF
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2016 01:03 AM - edited 03-12-2019 12:25 AM
Hi
I have the following problem. I want to access my PC from outside throught the ZBF.
I made my ZBF with CCP and by default RDP is not allowed. that's why , i made some changes in the configuration.
target:class)-(sdm-zp-NATOutsideToInside-1:class-default) Passing tcp pkt XXXXXXXXXXXXX:1138 => 10.1.1.3:3389 with ip ident 9212
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-nat-user-protocol--1-3
match access-group 105
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 103
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 104
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-2
match access-group 104
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 103
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-3
match access-group 105
match protocol user-protocol--2
class-map type inspect match-all CCP_SSLVPN
match access-group 102
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-any RDP_ACCESS
match access-group name RDP_ACCESS
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 106
class-map type inspect match-all RDP_ACCESS_TRAFFIC
match class-map RDP_ACCESS
match access-group 107
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 102
!
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class type inspect sdm-nat-user-protocol--2-2
inspect
class type inspect sdm-nat-user-protocol--1-3
inspect
class type inspect sdm-nat-user-protocol--2-3
inspect
class type inspect CCP_PPTP
pass
class type inspect RDP_ACCESS_TRAFFIC
pass
class class-default
pass log
policy-map type inspect ccp-permit
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class type inspect sdm-access
inspect
class type inspect SDM_DHCP_CLIENT_PT
pass
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class type inspect ccp-icmp-access
inspect
class class-default
pass
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security zp-in-zone-in-zone source in-zone destination in-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
!
!
!
interface Loopback10
description $FW_INSIDE$
ip address 10.2.2.1 255.255.255.0
zone-member security in-zone
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template10
description $FW_INSIDE$
ip unnumbered Loopback10
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface GigabitEthernet0
description INTERNET$FW_OUTSIDE$
ip address dhcp client-id GigabitEthernet0
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
!
interface wlan-ap0
ip address 200.200.200.1 255.255.255.0
arp timeout 0
!
interface Wlan-GigabitEthernet0
no ip address
!
interface Vlan1
description LAN$FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
ip local pool webvpn-pool 10.2.2.2 10.2.2.250
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 100 interface GigabitEthernet0 overload
ip nat inside source static tcp 10.1.1.3 3389 interface GigabitEthernet0 60006
ip nat inside source static udp 10.1.1.3 3389 interface GigabitEthernet0 60006
ip nat inside source static tcp 10.1.1.4 3389 interface GigabitEthernet0 60007
ip nat inside source static udp 10.1.1.4 3389 interface GigabitEthernet0 60007
ip nat inside source static tcp 10.1.1.2 3389 interface GigabitEthernet0 60005
ip nat inside source static udp 10.1.1.2 3389 interface GigabitEthernet0 60005
!
ip access-list extended RDP_ACCESS
permit tcp any any eq 60006
permit udp any any eq 60006
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 60004
!
logging host 10.1.1.2
!
!
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip any any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 10.1.1.3
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 10.1.1.4
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 10.1.1.2
access-list 106 remark CCP_ACL Category=128
access-list 106 permit ip any host XXXXXXXXX (MY WAN IP)
access-list 107 permit ip any host XXXXXXXXX (MY WAN IP)
!
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2016 01:43 AM
Hi Yordon,
From the configuration, i could see that you have configured action 'pass' for the concerned traffic from out to in zone, however for in to out zone, I could only see 'inspect' action. This would not work, as the return traffic would not find any session due to pass action. So perform inspect from Out to In for rdp or add Pass action from In to Out zone.
Also try with 'private ip address and port' in the access-list which is matching the traffic in zone-pair as untranslation would occur before zone based match.
Hope it helps.
Regards,
Akshay Rastogi
Remember to rate helpful posts.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2016 09:32 PM
Ok in your other post you did not include the RDP_ACCESS ACL configuration. So you will need to either change the ports in this ACL to 3389, remove it from the RDP_ACCESS_TRAFFIC class-map, or change the RDP server to listen on port 60006. Your choice.
--
Please remember to select a correct answer and rate helpful posts
Please remember to select a correct answer and rate helpful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2016 11:56 PM
hi
i tried, but without success. now i made the config clear (only generated from CCP).
Can you please tell me, what i should do, to reach my internal PC (10.1.1.2 and 10.1.1.3) from outside with RDP. This is the config now:
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-nat-user-protocol--1-3
match access-group 105
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 103
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 104
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-2
match access-group 104
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 103
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-3
match access-group 105
match protocol user-protocol--2
class-map type inspect match-all CCP_SSLVPN
match access-group 102
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 106
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 102
!
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class type inspect sdm-nat-user-protocol--2-2
inspect
class type inspect sdm-nat-user-protocol--1-3
inspect
class type inspect sdm-nat-user-protocol--2-3
inspect
class type inspect CCP_PPTP
pass
class class-default
drop log
policy-map type inspect ccp-permit
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class type inspect sdm-access
inspect
class type inspect SDM_DHCP_CLIENT_PT
pass
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class type inspect ccp-icmp-access
inspect
class class-default
pass
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security zp-in-zone-in-zone source in-zone destination in-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
!
!
!
interface Loopback10
description $FW_INSIDE$
ip address 10.2.2.1 255.255.255.0
zone-member security in-zone
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template10
description $FW_INSIDE$
ip unnumbered Loopback10
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface GigabitEthernet0
description INTERNET$FW_OUTSIDE$
ip address dhcp client-id GigabitEthernet0
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
!
interface wlan-ap0
ip address 200.200.200.1 255.255.255.0
arp timeout 0
!
interface Wlan-GigabitEthernet0
no ip address
!
interface Vlan1
description LAN$FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
ip local pool webvpn-pool 10.2.2.2 10.2.2.250
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 100 interface GigabitEthernet0 overload
ip nat inside source static tcp 10.1.1.3 3389 interface GigabitEthernet0 60006
ip nat inside source static udp 10.1.1.3 3389 interface GigabitEthernet0 60006
ip nat inside source static tcp 10.1.1.4 3389 interface GigabitEthernet0 60007
ip nat inside source static udp 10.1.1.4 3389 interface GigabitEthernet0 60007
ip nat inside source static tcp 10.1.1.2 3389 interface GigabitEthernet0 60005
ip nat inside source static udp 10.1.1.2 3389 interface GigabitEthernet0 60005
!
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 60004
!
logging host 10.1.1.2
!
!
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip any any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 10.1.1.3
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 10.1.1.4
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 10.1.1.2
access-list 106 remark CCP_ACL Category=128
access-list 106 permit ip any host WAN IP ADDRESS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2016 01:43 AM
Hi Yordon,
From the configuration, i could see that you have configured action 'pass' for the concerned traffic from out to in zone, however for in to out zone, I could only see 'inspect' action. This would not work, as the return traffic would not find any session due to pass action. So perform inspect from Out to In for rdp or add Pass action from In to Out zone.
Also try with 'private ip address and port' in the access-list which is matching the traffic in zone-pair as untranslation would occur before zone based match.
Hope it helps.
Regards,
Akshay Rastogi
Remember to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
