- Cisco Community
- Technology and Support
- Security
- Network Security
- CCP - Advanced Firewall Creating Custom Ports Inbound Traffic
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2013 03:38 PM - edited 03-11-2019 07:30 PM
Hey folks, i desperatly need some assistance with my ISR 800 series router zone based Firewall.
The router is currently setup and routing traffic to the internet successfully.
I would like to setup a custom inbound port(TCP-3389) accessible from the internet.
Port destination termination will be an internal PC at say 192.168.1.50.
How can i accomplish this using CPP or console.
I have already defined the port to application mapping using CPP. however the firewall is recording the following syslog message:
%FW-6-DROP_PKT: Dropping udp session 24.76.164.168:13925 192.168.1.50:3389 on zone-pair ccp-zp-out-zone-To-in-zone class class-default due to DROP action found in policy-map with ip ident 0
Any assistance is greatly appreciated
If full config is required to assist please let me know.
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-24-2013 08:17 AM
Hi,
So you want to port forward TCP 3389 to 192.168.10.50 ?
If so then first you must have a static PAT statement:
ip nat inside source static tcp 192.168.10.50 3389 interface Fastethernet4 3389
Then you'll have to inspect this traffic when entering your firewall:
class-map type inspect user-remote-app-tcp
match protocol user-remote-app-tcp
no policy-map type-inspect ccp-pol-outToIn
policy-map type-inspect ccp-pol-outToIn
class type inspect user-remote-app-tcp
inspect
class type inspect CCP_PPTP
pass
class type inspect ccp-cls-ccp-pol-outToIn-1
pass log
class class-default
drop log
Regards
Alain
Don't forget to rate helpful posts.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2013 08:53 PM
When using CCP generalyy you would follow the proceudre starting on page 485 here:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_configuration_professional/v2_7/olh/ccp.pdf
If that didn't work for you, please share your class-maps policy-maps and zone-pairs sections so we can have a look at what is failing.
We look for:
1. The traffic is classified in a class-map
2. The policy-map passes the classified traffic
3. The zone-pair applies that policy-map
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2013 09:19 PM
Thanks for your response.
Pardon my ignorance! how can i export this info from the CCP interface to share? In lue of that procedure, i have provided the full config below.
Building configuration...
Current configuration : 22564 bytes
!
! Last configuration change at 18:05:26 UTC Fri Aug 23 2013 by sshs
! NVRAM config last updated at 18:05:26 UTC Fri Aug 23 2013 by sshs
! NVRAM config last updated at 18:05:26 UTC Fri Aug 23 2013 by sshs
version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 881W-SSHS-R1
!
boot-start-marker
boot system flash:c880data-universalk9-mz.153-1.T.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 8192 warnings
enable secret 4 tFiAfenrBMx7/HkdLMWd3Yp19y9eWwFQw9w0LSu/IRk
enable password 7 09485B1F180B03175A
!
aaa new-model
!
!
aaa authentication login sslvpn local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone EST -5 0
clock summer-time UTC recurring
service-module wlan-ap 0 bootimage autonomous
!
crypto pki server 881-sshs-r1ca
database archive pem password 7 121D1001130518017B
issuer-name O=ssh solutions, OU=sshs support, CN=881w-sshs-r1, C=CA, ST=ON
lifetime certificate 1095
lifetime ca-certificate 1825
!
crypto pki trustpoint sshs-trustpoint
enrollment selfsigned
serial-number
subject-name CN=sshs-certificate
revocation-check crl
rsakeypair sshs-rsa-keys
!
crypto pki trustpoint 881-sshs-r1ca
revocation-check crl
rsakeypair 881-sshs-r1ca
!
!
crypto pki certificate chain sshs-trustpoint
certificate self-signed 01
308201DC 30820186 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
4C311930 17060355 04031310 73736873 2D636572 74696669 63617465 312F3012
06035504 05130B46 54583133 32353830 34593019 06092A86 4886F70D 01090216
0C383831 572D5353 48532D52 31301E17 0D313330 34313332 31323334 315A170D
32303031 30313030 30303030 5A304C31 19301706 03550403 13107373 68732D63
65727469 66696361 7465312F 30120603 55040513 0B465458 31333235 38303459
30190609 2A864886 F70D0109 02160C38 3831572D 53534853 2D523130 5C300D06
092A8648 86F70D01 01010500 034B0030 48024100 C14B55D9 4B2D4124 D711B49E
BBCA3A9D 4EE59818 3922DF07 8D7A3901 BE32D2C5 108FD57C BEA8BEAE F1CFEDF3
6D8EF395 DD4D6880 846C9995 EB25B50A DC8E2CC7 02030100 01A35330 51300F06
03551D13 0101FF04 05300301 01FF301F 0603551D 23041830 16801494 EBC22041
8AEC4A0C E3D4399D AD736724 1241E730 1D060355 1D0E0416 041494EB C220418A
EC4A0CE3 D4399DAD 73672412 41E7300D 06092A86 4886F70D 01010505 00034100
BCB0E36C 74CB592B C7404CA2 3028AE4A EEBC2FF9 2195BD68 E9BC5D76 00F1C26F
50837DEC 99E79BF5 E5C6C634 BE507705 83F6004B 1B4971E6 EAFBBB0D B3677087
quit
crypto pki certificate chain 881-sshs-r1ca
certificate ca 01
30820299 30820202 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
60310B30 09060355 04081302 4F4E310B 30090603 55040613 02434131 15301306
03550403 130C3838 31772D73 7368732D 72313115 30130603 55040B13 0C737368
73207375 70706F72 74311630 14060355 040A130D 73736820 736F6C75 74696F6E
73301E17 0D313330 34313931 37313331 315A170D 31383034 31383137 31333131
5A306031 0B300906 03550408 13024F4E 310B3009 06035504 06130243 41311530
13060355 0403130C 38383177 2D737368 732D7231 31153013 06035504 0B130C73
73687320 73757070 6F727431 16301406 0355040A 130D7373 6820736F 6C757469
6F6E7330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BA7150D7 E4D5E06B 522A03C4 DBE95F4B C74A4BF5 D715814A 16B1D685 4873C6EB
2ACF8A35 4E4B5234 90B0DE07 738D705E 70C4CEDE D10271CD 658B3939 788859C7
B1730801 22DD5840 9EC1FC50 0AD4D2DF C5281E5F 891550B3 873B6305 02287605
80274704 700D7512 4D780096 E21A2DEE 18F76109 F1D6189B 56561E12 52E5A74B
02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
0F0101FF 04040302 0186301F 0603551D 23041830 168014CD 462ED740 1B5B89EC
8510BAB3 E91629AE 6C14F030 1D060355 1D0E0416 0414CD46 2ED7401B 5B89EC85
10BAB3E9 1629AE6C 14F0300D 06092A86 4886F70D 01010405 00038181 000EE548
B5692815 E61D2086 E7B53CD4 0C077D9D 479F8F6A 9276356D FD18FBD7 FDFCE15A
0224A686 F2154525 6F56CCD8 555E47EA 80C5223F A999260D 53E5AC53 A6AE6149
2B28EC50 67AA35E7 3B32011B E82D0888 5D3EDCC3 28720D49 DC01ADBB 1B2B44AF
CFD12481 7F1D9720 4A66D59A 8A3B7BB8 287F064C 41D788DD 0552FD91 F8
quit
no ip source-route
!
!
!
!
ip port-map user-remote-app-tcp port tcp 3389 list 2 description remote-app
!
ip dhcp excluded-address 192.168.10.1 192.168.10.200
ip dhcp excluded-address 192.168.20.1 192.168.20.200
ip dhcp excluded-address 192.168.30.1 192.168.30.200
!
ip dhcp pool SSHS-LAN
import all
network 192.168.10.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.10.1
domain-name sshs.local
lease 2
!
ip dhcp pool VLAN20
import all
network 192.168.20.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.20.1
domain-name sshs.local
lease 2
!
ip dhcp pool VLAN30
import all
network 192.168.30.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.30.1
domain-name sshs.local
lease 2
!
!
!
no ip bootp server
ip domain name sshs.local
ip host 881W-SSHS-R1 192.168.10.1
ip name-server 208.122.23.22
ip name-server 208.122.23.23
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
!
multilink bundle-name authenticated
license udi pid CISCO881W-GN-A-K9 sn FTX1325804Y
license boot module c880-data level advipservices
!
!
username sshs privilege 15 password 7 050F131920425A0C48
username sean secret 4 HKl1ouWejids3opAKgGPRpf0NznjhP7L/v.REW79pKc
!
!
!
!
!
ip tcp synwait-time 10
no ip ftp passive
!
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map match-any AutoQoS-Voice-Fa4
match protocol rtp audio
class-map type inspect match-all CCP_SSLVPN
match access-group 199
class-map match-any AutoQoS-Scavenger-Fa4
match protocol bittorrent
match protocol edonkey
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any remote-app
match protocol Other
class-map type inspect match-all SDM_RIP_PT
match protocol router
class-map type inspect match-any bootps
match protocol bootps
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map match-any AutoQoS-VoIP-Remark
match ip dscp ef
match ip dscp cs3
match ip dscp af31
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any bootpc_bootps
match protocol bootpc
match protocol bootps
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map match-any AutoQoS-VoIP-Control-UnTrust
match access-group name AutoQoS-VoIP-Control
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map match-any AutoQoS-VoIP-RTP-UnTrust
match protocol rtp audio
match access-group name AutoQoS-VoIP-RTCP
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 102
class-map type inspect match-all ccp-cls-ccp-permit-icmpreply-1
match class-map bootps
match access-group name boops-DHCP
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map bootpc_bootps
match access-group name DHCP-Request
class-map type inspect match-any SDM_CA_SERVER
match class-map SDM_HTTPS
match class-map SDM_HTTP
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
match class-map uremote-app
match access-group name remote-app
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
!
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
class type inspect msnmsgr ccp-app-msn-otherservices
log
class type inspect ymsgr ccp-app-yahoo-otherservices
log
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
pass
class type inspect ccp-cls-ccp-pol-outToIn-1
pass log
class class-default
drop log
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map AutoQoS-Policy-Fa4
class AutoQoS-Voice-Fa4
priority percent 1
set dscp ef
class AutoQoS-Scavenger-Fa4
bandwidth remaining percent 1
set dscp cs1
class class-default
fair-queue
policy-map AutoQoS-Policy-UnTrust
class AutoQoS-VoIP-RTP-UnTrust
priority percent 70
set dscp ef
class AutoQoS-VoIP-Control-UnTrust
bandwidth percent 5
set dscp af31
class AutoQoS-VoIP-Remark
set dscp default
class class-default
fair-queue
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
class type inspect http ccp-app-httpmethods
log
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_CA_SERVER
inspect
class type inspect ccp-cls-ccp-permit-1
pass log
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class type inspect sdm-access
inspect
class type inspect SDM_RIP_PT
pass
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-cls-ccp-permit-icmpreply-1
pass log
class type inspect ccp-icmp-access
inspect
class class-default
pass
!
zone security out-zone
zone security in-zone
zone security sslvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone
service-policy type inspect ccp-sslvpn-pol
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description LAN
switchport mode trunk
no ip address
!
interface FastEthernet1
description Not in Use
no ip address
!
interface FastEthernet2
description Trunk to 861W-SSHS-R1
switchport mode trunk
no ip address
auto discovery qos
!
interface FastEthernet3
description VoIP
switchport access vlan 30
no ip address
service-policy output AutoQoS-Policy-UnTrust
!
interface FastEthernet4
description WAN$ETH-WAN$$FW_OUTSIDE$
ip ddns update hostname xxx.xxxx.org
ip address dhcp client-id FastEthernet4
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
auto qos
service-policy output AutoQoS-Policy-Fa4
!
interface Virtual-Template1
ip unnumbered Vlan1
no ip redirects
no ip proxy-arp
ip flow ingress
zone-member security sslvpn-zone
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip proxy-arp
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface Vlan1
description SSHS Default LAN$FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface Vlan20
description $FW_INSIDE$
ip address 192.168.20.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
zone-member security in-zone
!
interface Vlan30
description $FW_INSIDE$
ip address 192.168.30.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface Dialer0
description PPPoA Dialer for Int ATM0$FW_INSIDE$
ip address negotiated
ip access-group aclInternetInbound in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname SSHS-CHAP
ppp chap password 7 045F1E100E2F584B
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
router rip
network 192.168.10.0
network 192.168.20.0
network 192.168.30.0
!
ip local pool sslvpn-pool 192.168.10.190 192.168.10.199
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
!
ip access-list extended AutoQoS-VoIP-Control
permit tcp any any eq 1720
permit tcp any any range 11000 11999
permit udp any any eq 2427
permit tcp any any eq 2428
permit tcp any any range 2000 2002
permit udp any any eq 1719
permit udp any any eq 5060
ip access-list extended AutoQoS-VoIP-RTCP
permit udp any any range 16384 32767
ip access-list extended DHCP-Request
remark CCP_ACL Category=128
permit ip any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any log
ip access-list extended SDM_HTTP
remark CCP_ACL Category=1
permit tcp any any eq www log
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443 log
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22 log
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 443 log
ip access-list extended remote-app
remark CCP_ACL Category=128
permit ip any host 192.168.10.50
ip access-list extended boops-DHCP
remark CCP_ACL Category=128
permit ip any any
!
logging host 192.168.10.50
!
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.10.50
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 permit ip any any
!
!
!
control-plane
!
rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS
!
banner login ^C No Unauthorize access, all unauthorize users will be terminated at WILL! Enter user name and password to continue
^C
banner motd ^C This router is designated as the primary router in the SSHS LAN ^C
!
line con 0
password 7 06021A374D401D1C54
logging synchronous
no modem enable
transport output telnet
line aux 0
password 7 06021A374D401D1C54
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
password 7 130102040A02102F7A
length 0
transport input telnet ssh
transport output telnet ssh
!
scheduler interval 500
ntp master
ntp update-calendar
ntp server nist1-ny.ustiming.org prefer
!
!
webvpn gateway sshs-WebVPN-Gateway
ip interface FastEthernet4 port 443
ssl encryption rc4-md5
ssl trustpoint sshs-trustpoint
inservice
!
webvpn context sshs-WebVPN
secondary-color white
title-color #669999
text-color black
!
acl "ssl-acl"
permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
aaa authentication list sslvpn
gateway sshs-WebVPN-Gateway
max-users 4
!
ssl authenticate verify all
!
url-list "rewrite"
inservice
!
policy group sshs-webvpnpolicy
functions svc-enabled
filter tunnel ssl-acl
svc address-pool "webvpnpool" netmask 255.255.255.0
svc rekey method new-tunnel
svc split include 192.168.0.0 255.255.255.0
default-group-policy sshs-webvpnpolicy
!
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-24-2013 08:17 AM
Hi,
So you want to port forward TCP 3389 to 192.168.10.50 ?
If so then first you must have a static PAT statement:
ip nat inside source static tcp 192.168.10.50 3389 interface Fastethernet4 3389
Then you'll have to inspect this traffic when entering your firewall:
class-map type inspect user-remote-app-tcp
match protocol user-remote-app-tcp
no policy-map type-inspect ccp-pol-outToIn
policy-map type-inspect ccp-pol-outToIn
class type inspect user-remote-app-tcp
inspect
class type inspect CCP_PPTP
pass
class type inspect ccp-cls-ccp-pol-outToIn-1
pass log
class class-default
drop log
Regards
Alain
Don't forget to rate helpful posts.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-24-2013 03:28 PM
Cadet's recommendation looks on the mark. I recommend following it.
BTW, you cannot easily share from CCP directly - the configuraiton you posted does the job.
Regards,
- Marvin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2013 08:58 PM
Appreciate the help Marvin. I will try the recommendation provided earlier and report back.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2013 08:57 PM
Thanks Cadet for your assistance, i will test the change and report back.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
