cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1622
Views
0
Helpful
3
Replies

ISR 4331 ZBF port-forwarding with different port.

lmanavalan
Level 1
Level 1

Hi

 

i am plannning to configure a static NAT to all allow ssh to a internal device as below.

 

 

ip nat inside source static tcp <privat_IP> 22 <public_IP> 22222 extendable

 

i created a zbf in both direct

 

class-map type inspect match-any Internal-To-Perimeter
 match protocol http
 match protocol https
 match protocol tcp
 match protocol ssh
 match access-group name SSH
class-map type inspect match-any Perimeter-To-Internal
 match access-group name SSH
!
policy-map type inspect Perimeter-To-Internal-Policy
 class type inspect Perimeter-To-Internal
  pass log
 class class-default
policy-map type inspect Internal-To-Perimeter-Policy
 class type inspect Internal-To-Perimeter
  inspect
 class class-default
  drop log
!
!
zone security Perimeter
 description Internet Edge
zone security DMZ
 description DMZ for Expressway Edge
zone security Internal
 description Internal traffic
zone-pair security Internal-To-Perimeter source Internal destination Perimeter
 service-policy type inspect Internal-To-Perimeter-Policy
zone-pair security Perimeter-To-Internal source Perimeter destination Internal
 service-policy type inspect Perimeter-To-Internal-Policy
!

 

 

But i am not able to SSH to the private IP but when i remove the zone security member from the interface where the host is connected then i am able to ssh

 

 

Thanks

Logesh

 

3 Replies 3

Your ZBF-config doesn't make any sense:

  1. From Perimeter to internal you only pass traffic, but don't inspect it so you can't get any packets back
  2. You have the same ACL in both directions which is likely to be wrong.

As you don't show the rest, I assume that you also allow the wrong traffic in your ACL. With NAT you have to allow the real IP with real port in the allowing ACL. But your client has to access it on the translated IP and translated port.

Hi 

 

just to test I have added the access-list in both direct and the access list allows all IP and Ports 22, 22222

 

ip access-list extended SSH
 permit tcp any any eq 22
 permit tcp any any eq 22222
!

 

 

class-map type inspect match-any Perimeter-To-Internal
 match access-group name SSH
!
policy-map type inspect Perimeter-To-Internal-Policy
 class type inspect Perimeter-To-Internal
  pass log
 class class-default
  drop log

dear can we have some sort of online application or an organization which allow trustees to who can push money in and volunteers who go live on camera on the ground to give relief to people since covid 19 brought lot of challenges to poor and daily wage loabourers...and app design shoulbe like all localised so that everybody in that local are know everybody...by this we can build a global network between these groups to come together with their local authentication for giving their help financillly and backing the volunteers who are helping the poors...

Review Cisco Networking for a $25 gift card