Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1349
Views
5
Helpful
1
Replies

IOS Zone Based Firewall : match ports which have no protocol

Go to solution
Marcel Tempelman
Level 3
Level 3

‎01-12-2021 07:39 AM - edited ‎01-12-2021 07:40 AM

Hi all,

 

I'm trying to setup a IOS(-XE) based ZFB-firewall to filter and block traffic between 2 LAN-segments. I have a list of ports which I want to allow but I find it hard to find an example to match a port in a class map if the port does not match a known protocol. Every example is like this:

 

class-map type inspect match-any DMZ-SERVER-ALLOWED-PROTOCOLS
 match protocol http
 match protocol https
exit
class-map type inspect match-all DMZ-SERVER-ALLOWED-TRAFFIC
 match access-group name DMZ-SERVER-FROM-OUTSIDE
 match class-map DMZ-SERVER-ALLOWED-PROTOCOLS

 

But what to use if you need for example port range tcp/7011-7050 ? Is using an ACL like this the proper way ?

 

ip access-list extended ACL-Allowed-Ports

 permit tcp any any range 7011 7050

!

class-map type inspect match-any DMZ-SERVER-ALLOWED-PROTOCOLS
 match protocol http
 match protocol https

 match access-group name ACL-Allowed-Ports

!

 

If this works, can I extend this ACL with other ports or do I need a seperate ACL per port/port range ?

What about Object-Groups ? Are they usable ?

 

I have so many questions and there is so little documentation outside the simple http/https/ssh and VPN-examples.

 

With kind regards,

 

Marcel Tempelman

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎01-12-2021 12:16 PM

Well, as you have already mentioned, and actually answered your own question, yes, the way to do this is through ACL and match that ACL in the class-map.  You can have as many ACL entries in the ACL you create as you require.

You can ofcourse use an object group to group IPs and subnets that require the same type of access, there is no reason why you should not do this.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

1 Reply 1

Go to solution
Marius Gunnerud
VIP
VIP

‎01-12-2021 12:16 PM

Well, as you have already mentioned, and actually answered your own question, yes, the way to do this is through ACL and match that ACL in the class-map.  You can have as many ACL entries in the ACL you create as you require.

You can ofcourse use an object group to group IPs and subnets that require the same type of access, there is no reason why you should not do this.

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card