Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1605
Views
0
Helpful
3
Replies

ISR 4331 ZBF port-forwarding with different port.

lmanavalan
Level 1
Level 1

‎10-30-2017 05:44 AM - edited ‎02-21-2020 06:35 AM

Hi

 

i am plannning to configure a static NAT to all allow ssh to a internal device as below.

 

 

ip nat inside source static tcp <privat_IP> 22 <public_IP> 22222 extendable

 

i created a zbf in both direct

 

class-map type inspect match-any Internal-To-Perimeter
 match protocol http
 match protocol https
 match protocol tcp
 match protocol ssh
 match access-group name SSH
class-map type inspect match-any Perimeter-To-Internal
 match access-group name SSH
!
policy-map type inspect Perimeter-To-Internal-Policy
 class type inspect Perimeter-To-Internal
  pass log
 class class-default
policy-map type inspect Internal-To-Perimeter-Policy
 class type inspect Internal-To-Perimeter
  inspect
 class class-default
  drop log
!
!
zone security Perimeter
 description Internet Edge
zone security DMZ
 description DMZ for Expressway Edge
zone security Internal
 description Internal traffic
zone-pair security Internal-To-Perimeter source Internal destination Perimeter
 service-policy type inspect Internal-To-Perimeter-Policy
zone-pair security Perimeter-To-Internal source Perimeter destination Internal
 service-policy type inspect Perimeter-To-Internal-Policy
!

 

 

But i am not able to SSH to the private IP but when i remove the zone security member from the interface where the host is connected then i am able to ssh

 

 

Thanks

Logesh

 

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎10-30-2017 07:11 AM

Your ZBF-config doesn't make any sense:

  1. From Perimeter to internal you only pass traffic, but don't inspect it so you can't get any packets back
  2. You have the same ACL in both directions which is likely to be wrong.

As you don't show the rest, I assume that you also allow the wrong traffic in your ACL. With NAT you have to allow the real IP with real port in the allowing ACL. But your client has to access it on the translated IP and translated port.

0 Helpful

lmanavalan
Level 1
Level 1
In response to Karsten Iwen

‎10-30-2017 12:37 PM

Hi 

 

just to test I have added the access-list in both direct and the access list allows all IP and Ports 22, 22222

 

ip access-list extended SSH
 permit tcp any any eq 22
 permit tcp any any eq 22222
!

 

 

class-map type inspect match-any Perimeter-To-Internal
 match access-group name SSH
!
policy-map type inspect Perimeter-To-Internal-Policy
 class type inspect Perimeter-To-Internal
  pass log
 class class-default
  drop log

0 Helpful

SYEDSARWARHUSSAIN51654
Level 1
Level 1
In response to Karsten Iwen

‎05-11-2020 08:35 PM

dear can we have some sort of online application or an organization which allow trustees to who can push money in and volunteers who go live on camera on the ground to give relief to people since covid 19 brought lot of challenges to poor and daily wage loabourers...and app design shoulbe like all localised so that everybody in that local are know everybody...by this we can build a global network between these groups to come together with their local authentication for giving their help financillly and backing the volunteers who are helping the poors...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card