Solved: Re: CISCO 887VAW Port Foward on ZBFW need help

Yair · ‎03-23-2019

Hello,

i got ( free of charge ) my hands on cisco 887VAW whit advipservices
license installed permanent

now i setup the router for home use but i have a problem,how to port forward?

i need to port forward port 50500 to lan host 10.0.1.100

im new to cisco zbfw so for now i setup default firewall whit CCP to secure my lan

also another broblem is that i cannot setup ssl vpn its says that license not installed

also for IPS same things but on the router there is advipservices
lisence installed permanent

cisco#sh license
Index 1 Feature: advipservices
Period left: Not Activated
Period Used: 0 minute 0 second
License Type: Evaluation
License State: Not in Use, EULA not accepted
License Count: Non-Counted
License Priority: None
Index 2 Feature: advsecurity
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 3 Feature: ios-ips-update
Period Used: 0 minute 0 second
License Type: Evaluation
Start Date: N/A, End Date: Dec 31 2025
License State: Not in Use, EULA not accepted
License Count: Non-Counted
License Priority: None
Index 4 Feature: SSL_VPN
Period left: Not Activated
Period Used: 0 minute 0 second
License Type: Evaluation
License State: Not in Use, EULA not accepted
License Count: 100/0/0 (Active/In-use/Violation)
License Priority: None

sh runing-config

cisco#sh run
Building configuration...

Current configuration : 5973 bytes
!
! No configuration change since last restart
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 10
!
!
ip source-route
!
!
ip dhcp excluded-address 10.0.1.2 10.0.1.110
ip dhcp excluded-address 10.0.1.1
!
ip dhcp pool HOME-LAN
import all
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
dns-server 10.0.1.1
lease 1 0 0
!
ip cef
ip domain name home.local
ip name-server 8.8.8.8
no ipv6 cef
!
!
license udi pid CISCO887VW-GNE-K9 sn XXXXXXXXXXXXXX
license accept end user agreement
!
!
username admin privilege 15 secret 5 somepassword
!
!
controller VDSL 0
!
!
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
!
!
!
!
interface Ethernet0
description WAN
no ip address
pppoe-client dial-pool-number 1
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
switchport access vlan 20
!
interface FastEthernet1
switchport access vlan 20
!
interface FastEthernet2
switchport access vlan 20
!
interface FastEthernet3
switchport access vlan 20
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 10.1.0.1 255.255.255.0
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
interface Vlan1
no ip address
!
interface Vlan20
description $FW_INSIDE$
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username user@isp password password
ppp ipcp address accept
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns view dns
ip dns view-list dns
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
dialer-list 1 protocol ip permit
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
login local
transport input ssh
!
scheduler max-task-time 5000
ntp server ntp.pool.org
end

cisco#

Thanks.

Rob Ingram · ‎03-23-2019

You don't have a zone pair from outside to inside, so you will need to create one. Here is a rough example:-

ip access-list extended OUTSIDE->IN_50500
permit tcp any any eq 50500

class-map type inspect match-any OUTSIDE->IN
match access-group name OUTSIDE->IN_50500

policy-map type inspect OUTSIDE->IN
class type inspect OUTSIDE->IN
inspect
class class-default
drop log

zone-pair security OUTSIDE->IN source out-zone destination in-zone
service-policy type inspect OUTSIDE->IN

Only include the log option under the class-default class for testing.

HTH

View solution in original post

Rob Ingram · ‎03-23-2019

Hi,

You don't say waht port you want to forward, try this for port forwarding (just replace 22 with whatever port you are attempting to port forward):-

ip nat inside source static tcp 10.0.1.100 22 interface Dialer0 50500

You'll need to amend the ZBFW to permit from outside to inside zone.

What commands are you attempting to use for SSL-VPN? webvpn gateway|context etc?

HTH

Yair · ‎03-23-2019

ip nat inside source static tcp 10.0.1.100 50500 interface Dialer0 50500

i'll try it and its not working

how i ''You'll need to amend the ZBFW to permit from outside to inside zone.'' ?

what command ?

im new to zbfw so i setup it whit CCP

for SSL VPN im trying config via CCP unles you can help whit some good script ?

Rob Ingram · ‎03-23-2019

You don't have a zone pair from outside to inside, so you will need to create one. Here is a rough example:-

ip access-list extended OUTSIDE->IN_50500
permit tcp any any eq 50500

class-map type inspect match-any OUTSIDE->IN
match access-group name OUTSIDE->IN_50500

policy-map type inspect OUTSIDE->IN
class type inspect OUTSIDE->IN
inspect
class class-default
drop log

zone-pair security OUTSIDE->IN source out-zone destination in-zone
service-policy type inspect OUTSIDE->IN

Only include the log option under the class-default class for testing.

HTH

Yair · ‎03-23-2019

Thanks Man Now its working and when i scan on grc.com all my green

so no i know how to for forward on zbfw

buy the wayany good script to setup ssl vpn ?

and how i activate license if i have advsecurity on my 887??

Rob Ingram · ‎03-23-2019

Good to hear it's working

Here is an example of IOS SSL-VPN. SSL-VPN is not supported on all devices, what version of firmware do you have?

Run clear ip nat translations and then try and remove the port forwarding using no ip nat inside source static tcp 10.0.1.100 22 interface Dialer0 50500

HTH

Yair · ‎03-23-2019

here is sh version

System image file is "flash:c880data-universalk9-mz.150-1.M4.bin

1 DSL controller
1 Ethernet interface
4 FastEthernet interfaces
1 Gigabit Ethernet interface
1 ISDN Basic Rate interface
1 terminal line
1 Virtual Private Network (VPN) Module
1 cisco Embedded AP (s)
256K bytes of non-volatile configuration memory.
126000K bytes of ATA CompactFlash (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO887VW-GNE-K9

License Information for 'c880-data'
License Level: advsecurity Type: Permanent
Next reboot license Level: advsecurity

Configuration register is 0x2102

by the way

when i forward port i use this

ip access-list extended OUTSIDE->IN_50500
permit tcp any any eq 50500

class-map type inspect match-any OUTSIDE->IN
match access-group name OUTSIDE->IN_50500

policy-map type inspect OUTSIDE->IN
class type inspect OUTSIDE->IN
inspect
class class-default
drop log

zone-pair security OUTSIDE->IN source out-zone destination in-zone
service-policy type inspect OUTSIDE->IN

do i need all this per port forward or i can use only ip nat ?

lets say

ip nat inside source static tcp 10.0.1.100 50500 interface Dialer0 50500

ip nat inside source static tcp 10.0.1.100 50501 interface Dialer0 50501

ip nat inside source static tcp 10.0.1.100 50502 interface Dialer0 50502

and if i want to remove port forward just by typing

no ip nat inside source static tcp 10.0.1.100 50500 interface Dialer0 50500

wr mem ?

Rob Ingram · ‎03-23-2019

The NAT command is doing the port forwarding, the ZBFW configuration (ACL, Class Map and Policy Map) is permitting the traffic inbound. If you want to remove the port forwarding you can delete the nat entry, then you also might want to delete the ZBFW configuration.

What happens when you configure the SSL-VPN, does it allow you to enter the commands?

Yair · ‎03-23-2019

What happens when you configure the SSL-VPN, does it allow you to enter the commands?

im not try it yet

i dont know if advansecurity support ssl vpn

on CCP it ask for license

but after google search i understand that advansecurity supports ssl vpn so why i need license?

Rob Ingram · ‎03-23-2019

It does support SSL-VPN, but you do need to purchase an additional feature license for SSL-VPN - reference here. You could probably look to implement a FlexVPN Remote Access VPN without this addtional license.

HTH

Yair · ‎03-23-2019

by the way if i want to delete port foward tcp 50500 whitch command i use ?

i try it and get error that is in use

Yair · ‎04-03-2019

Hey whats up?

need some help again

the port foward for single port works great but how i port foward port gange?

ip nat inside source static tcp 10.0.1.100 50500 interface Dialer0 50500

ip access-list extended OUTSIDE->IN_50500
permit tcp any any eq 50500

class-map type inspect match-any OUTSIDE->IN
match access-group name OUTSIDE->IN_50500

policy-map type inspect OUTSIDE->IN
class type inspect OUTSIDE->IN
inspect
class class-default
drop log

zone-pair security OUTSIDE->IN source out-zone destination in-zone
service-policy type inspect OUTSIDE->IN

lets say i want to port foward udp 1119-1120 to 10.0.1.100

and tcp 30000-30009 to 10.0.1.100 ?

Rob Ingram · ‎04-03-2019

Hi, It doesn't appear you can do a range for the static NAT entries, so you'd have to create multiple static NATs. E.g:-

ip nat inside source static udp 10.0.1.100 1119 interface Dialer0 1119
ip nat inside source static udp 10.0.1.100 1120 interface Dialer0 1120

ip nat inside source static tcp 10.0.1.100 30000 interface Dialer0 30000

....repeat for 30001-30009

You can specify a range in the ACL. E.g:-

ip access-list extended OUTSIDE->IN_50500
permit udp any any range 1119 1120

permit tcp any any range 30000 30009

Obviously make sure that ACL is still referenced in the correct class-map.

HTH