07-31-2017 05:14 PM - edited 03-12-2019 02:45 AM
Hello all,
I'm having some trouble with configuring an Cisco 881 router with CCP. I'm still learning my way through the way Cisco handles firewall. I'm trying to block all but a few ports going to a particular network device in the network, and I can't seem to get it figured out. From my understanding and looking at the zone firewall, it should be blocking anything that's not explicitly allowed. I'm trying to block all but selected traffic from going to 10.23.33.51. Here's my config:
Building configuration...
Current configuration : 18660 bytes
!
! Last configuration change at 22:12:16 UTC Mon Jul 31 2017 by bcrs
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname bj-881
!
boot-start-marker
boot-end-marker
!
!
logging buffered informational
enable secret 4 wrtEs9kM3qEKQvvA.n.sBs7tl7YHNAlKMQmVoq9Lq/Y
enable password
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userlist local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-2599306641
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2599306641
revocation-check none
rsakeypair TP-self-signed-2599306641
!
!
crypto pki certificate chain TP-self-signed-2599306641
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353939 33303636 3431301E 170D3134 30353236 32333134
32335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35393933
30363634 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B870 9F434F35 744CC820 62247940 B6A169DF E7F37BD9 225DF38D 91536711
1D4C8259 6FCCEDCB 1A4D04F0 016423A1 959E756F D7C777D6 8ADC8B52 67ABE6C0
535E28F8 383C5BC8 FE5DC501 ABD23599 4B779ACC 0711B1E6 DFC6D70E F02524A5
E6FC8557 81F12DFF AAE500B8 EE7379D9 FAF273B7 1E1AC802 A718F1E0 03C0C3CD
8D630203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 147BBCB4 1A1A51A7 5E3B1D31 2808CC7F 414D6670 2E301D06
03551D0E 04160414 7BBCB41A 1A51A75E 3B1D3128 08CC7F41 4D66702E 300D0609
2A864886 F70D0101 05050003 81810031 D35E5D92 5498E16C F70F22C0 A210C953
5DF4FCBE 02297BCB 1DB6C577 414F28A2 DD153D12 6529392B 6DA8D202 67315197
C357D1BF 06FF7102 153E257F 15C86113 A0B16DB6 C19222D0 568698FE 02336B34
9C5787B9 3ACDA6A6 9EFBA4E1 C9150E86 06A78950 D44D2FD5 C61BE793 CC53EC7D
1BD4707D 4307FE51 0B4344FC 60999A
quit
!
!
!
!
ip port-map user-protocol--2 port udp 3389
ip port-map user-protocol--1 port tcp 3389
!
ip dhcp excluded-address 172.19.63.1 172.19.63.169
ip dhcp excluded-address 172.19.63.240 172.19.63.254
ip dhcp excluded-address 172.19.63.170
!
ip dhcp pool DHCP
import all
network 172.19.63.0 255.255.255.0
domain-name temp.local
dns-server 172.19.63.1
default-router 172.19.63.1
!
!
!
ip domain name temp2.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FTX181281J9
!
!
username temp privilege 15 password 0 temp
username temp password 0 temp!
!
!
!
!
!
!
class-map type inspect match-any RTSPOut
match protocol rtsp
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 103
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 103
match protocol user-protocol--1
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-4
match access-group name GIMM-Unmatched_Traffic
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-1
match access-group name TranAccess01
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any GIMM-BlockRDP3
match protocol user-protocol--1
match protocol user-protocol--2
class-map type inspect match-all sdm-nat--1
match access-group 102
class-map type inspect match-any GIMM-BlockRDP2
match protocol user-protocol--1
match protocol user-protocol--2
class-map match-any CCP-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any GIMM-BlockRDP
match protocol user-protocol--1
match protocol user-protocol--2
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map match-any CCP-Voice-1
match dscp ef
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map match-any CCP-Routing-1
match dscp cs6
class-map match-any CCP-Signaling-1
match dscp cs3
match dscp af31
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map match-any CCP-Management-1
match dscp cs2
class-map type inspect match-any WebAndVPN
match protocol http
match protocol https
match protocol gdoi
match protocol ipsec-msft
match protocol isakmp
match protocol ssp
match protocol gtpv0
match protocol gtpv1
match protocol l2tp
match protocol pptp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
match protocol sip-tls
class-map type inspect match-any GIMM-BlockRDP-DNS
match protocol dns
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-5
match class-map GIMM-BlockRDP2
match access-group name GIMM-BlockRDP2
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-6
match class-map GIMM-BlockRDP3
match access-group name GIMM-BlockRDP3
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-3
match class-map GIMM-DNS
match access-group name GIMM-DNS
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-2
match class-map WebAndVPN
match access-group name GIMM-Standard-Allow
class-map type inspect match-all ccp-cls-ccp-permit-icmpreply-1
match class-map GIMM-BlockRDP
match access-group name GIMM-BlockRDP
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-cls-ccp-inspect-1
match class-map RTSPOut
match access-group name RTSP_Out
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
!
policy-map sdm-qos-test-123
class class-default
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-1
inspect
class type inspect sdm-nat--1
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-6
drop log
class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-3
inspect
class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-2
inspect
class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-5
drop log
class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-4
drop log
class type inspect CCP_PPTP
pass
class class-default
drop log
policy-map type inspect ccp-inspect
class type inspect ccp-cls-ccp-inspect-1
inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect sdm-access
inspect
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map CCP-QoS-Policy-1
class CCP-Voice-1
priority percent 20
class CCP-Signaling-1
bandwidth percent 5
class CCP-Routing-1
bandwidth percent 5
class CCP-Management-1
bandwidth percent 5
class CCP-Transactional-1
bandwidth percent 5
class class-default
fair-queue
random-detect
policy-map CCP-QoS-Policy-2
class class-default
shape average 10000000
service-policy CCP-QoS-Policy-1
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNCLIENTGROUP
key temp
domain temp.local
pool REMOTECLIENTS
acl 150
save-password
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 100
set transform-set ESP-AES-SHA
!
!
crypto map outside_map client authentication list userlist
crypto map outside_map isakmp authorization list groupauthor
crypto map outside_map client configuration address respond
crypto map outside_map 65000 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface FastEthernet0
description LEG
no ip address
!
interface FastEthernet1
switchport trunk native vlan 10
switchport mode trunk
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
description GIMM
switchport access vlan 200
switchport trunk native vlan 200
no ip address
!
interface FastEthernet4
description WAN$ETH-WAN$$FW_OUTSIDE$
ip address 195.174.200.18 255.255.255.248
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
crypto map outside_map
service-policy output CCP-QoS-Policy-2
!
interface Vlan1
description LEG_Gateway$FW_INSIDE$
ip address 172.19.63.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface Vlan200
description GIMM_Gateway
ip address 10.23.33.1 255.255.255.0
ip access-group BLOCK out
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
no autostate
!
ip local pool REMOTECLIENTS 192.168.100.1 192.168.100.254
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list 199 interface FastEthernet4 overload
ip nat inside source static tcp 172.19.63.40 1050 195.174.200.18 1050 route-map SDM_RMAP_11 extendable
ip nat inside source static udp 172.19.63.40 1050 195.174.200.18 1050 route-map SDM_RMAP_9 extendable
ip nat inside source static tcp 172.19.63.40 8000 195.174.200.18 8000 route-map SDM_RMAP_15 extendable
ip nat inside source static tcp 172.19.63.40 80 195.174.200.18 8085 route-map SDM_RMAP_3 extendable
ip nat inside source static tcp 172.19.63.40 8443 195.174.200.18 8443 route-map SDM_RMAP_13 extendable
ip nat inside source static 172.19.63.51 195.174.200.19 route-map SDM_RMAP_4
ip nat inside source static tcp 172.19.63.52 3389 195.174.200.20 3389 route-map SDM_RMAP_2 extendable
ip nat inside source static udp 172.19.63.52 3389 195.174.200.20 3389 route-map SDM_RMAP_5 extendable
ip nat inside source static tcp 172.19.63.81 3389 195.174.200.21 3389 route-map SDM_RMAP_12 extendable
ip nat inside source static 10.23.33.51 195.174.200.21 route-map SDM_RMAP_7
ip route 0.0.0.0 0.0.0.0 195.174.200.17
ip route 10.23.33.0 255.255.255.0 Vlan1
ip route 172.19.63.0 255.255.255.0 Vlan200
!
ip access-list extended tranAccess01
remark CCP_ACL Category=128
permit ip any host 172.19.63.81
ip access-list extended RTSP_Out
remark CCP_ACL Category=128
permit ip host 172.19.63.40 any
ip access-list extended BLOCK
remark CCP_ACL Category=17
permit ip host 172.19.63.10 10.23.33.0 0.0.0.255
permit ip host 172.19.63.11 10.23.33.0 0.0.0.255
remark Printer
permit ip host 172.19.63.140 10.23.33.0 0.0.0.255
deny ip 172.19.63.0 0.0.0.255 any
permit ip any any
ip access-list extended GIMM-BlockRDP
remark CCP_ACL Category=128
permit ip any host 10.23.33.51
ip access-list extended GIMM-BlockRDP2
remark CCP_ACL Category=128
permit ip any host 10.23.33.51
ip access-list extended GIMM-BlockRDP3
remark CCP_ACL Category=128
permit ip any host 195.174.200.21
ip access-list extended GIMM-DNS
remark CCP_ACL Category=128
permit ip any host 10.23.33.51
ip access-list extended GIMM-Standard-Allow
remark CCP_ACL Category=128
permit ip any host 10.23.33.51
ip access-list extended GIMM-Unmatched_Traffic
remark CCP_ACL Category=128
permit ip any host 10.23.33.51
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
!
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 195.174.200.16 0.0.0.7 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 172.19.63.51
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 172.19.63.52
access-list 104 remark CCP_ACL Category=2
access-list 104 deny ip host 172.19.63.52 192.168.100.0 0.0.0.255
access-list 104 permit tcp host 172.19.63.52 eq 3389 any
access-list 105 remark CCP_ACL Category=2
access-list 105 permit tcp host 172.19.63.40 eq www any
access-list 105 deny ip host 172.19.63.40 192.168.100.0 0.0.0.255
access-list 105 permit tcp host 172.19.63.40 eq 8085 any
access-list 106 remark CCP_ACL Category=2
access-list 106 deny ip host 172.19.63.51 192.168.100.0 0.0.0.255
access-list 106 permit ip host 172.19.63.51 any
access-list 107 remark CCP_ACL Category=2
access-list 107 deny ip host 172.19.63.52 192.168.100.0 0.0.0.255
access-list 107 permit udp host 172.19.63.52 eq 3389 any
access-list 108 remark CCP_ACL Category=2
access-list 108 deny ip host 10.23.33.51 192.168.100.0 0.0.0.255
access-list 108 permit ip host 10.23.33.51 any
access-list 109 remark CCP_ACL Category=2
access-list 109 deny ip host 10.23.33.51 192.168.100.0 0.0.0.255
access-list 109 permit ip host 10.23.33.51 any
access-list 110 remark CCP_ACL Category=2
access-list 110 deny ip host 172.19.63.81 192.168.100.0 0.0.0.255
access-list 110 permit ip host 172.19.63.81 any
access-list 111 remark CCP_ACL Category=2
access-list 111 deny ip host 172.19.63.40 192.168.100.0 0.0.0.255
access-list 111 permit udp host 172.19.63.40 eq 1050 any
access-list 112 remark CCP_ACL Category=2
access-list 112 deny ip host 172.19.63.40 192.168.100.0 0.0.0.255
access-list 112 permit tcp host 172.19.63.40 eq 1050 any
access-list 113 remark CCP_ACL Category=2
access-list 113 deny ip host 172.19.63.40 192.168.100.0 0.0.0.255
access-list 113 permit tcp host 172.19.63.40 eq 8443 any
access-list 114 remark CCP_ACL Category=2
access-list 114 deny ip host 172.19.63.40 192.168.100.0 0.0.0.255
access-list 114 permit tcp host 172.19.63.40 eq 8000 any
access-list 115 remark CCP_ACL Category=2
access-list 115 deny ip host 172.19.63.81 192.168.100.0 0.0.0.255
access-list 115 permit ip host 172.19.63.81 any
access-list 116 remark CCP_ACL Category=2
access-list 116 deny ip host 172.19.63.81 192.168.100.0 0.0.0.255
access-list 116 permit tcp host 172.19.63.81 eq 3389 any
access-list 150 permit ip 172.19.63.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 199 remark CCP_ACL Category=18
access-list 199 deny ip 172.19.63.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 199 deny ip 10.23.33.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 199 permit gre any any
access-list 199 permit ip any any
access-list 199 deny ip host 10.23.33.51 any
access-list 199 deny udp host 172.19.63.52 eq 3389 any
access-list 199 deny tcp host 172.19.63.52 eq 3389 any
access-list 199 deny ip host 172.19.63.51 any
access-list 199 deny tcp host 172.19.63.40 eq 8085 any
access-list 199 deny tcp host 172.19.63.40 eq www any
access-list 199 deny ip host 172.19.63.81 any
access-list 199 deny udp host 172.19.63.40 eq 1050 any
access-list 199 deny tcp host 172.19.63.40 eq 1050 any
access-list 199 deny tcp host 172.19.63.40 eq 8443 any
access-list 199 deny tcp host 172.19.63.40 eq 8000 any
access-list 199 deny tcp host 172.19.63.81 eq 3389 any
!
route-map SDM_RMAP_15 permit 1
match ip address 114
!
route-map SDM_RMAP_11 permit 1
match ip address 112
!
route-map SDM_RMAP_10 permit 1
match ip address 115
!
route-map SDM_RMAP_13 permit 1
match ip address 113
!
route-map SDM_RMAP_12 permit 1
match ip address 116
!
route-map SDM_RMAP_4 permit 1
match ip address 106
!
route-map SDM_RMAP_5 permit 1
match ip address 107
!
route-map SDM_RMAP_6 permit 1
match ip address 108
!
route-map SDM_RMAP_7 permit 1
match ip address 109
!
route-map SDM_RMAP_2 permit 1
match ip address 104
!
route-map SDM_RMAP_3 permit 1
match ip address 105
!
route-map SDM_RMAP_8 permit 1
match ip address 110
!
route-map SDM_RMAP_9 permit 1
match ip address 111
!
snmp-server community public RO
!
!
!
control-plane
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
password ceGs$r8c
login authentication local
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide