11-04-2013 11:57 AM - edited 03-11-2019 08:00 PM
Hi all,
I have a problem with getting port forward to work. Does this config look right?
Basically I want to forward all traffic from ports UDP 88 to internal 192.168.10.210, TCP & UDP 3074 also to internal 192.168.10.210
Also port TCP & UDP 32400 to internal 192.168.10.6
Also another question is that from a port scan from a web service somewhere checking a port is forwarding correctly on the router; will the scan fail as the traffic has first goto originate and punch a hole in the firewall from my internal network or can a port scan for a particular port (32400) be allowed through straight to my internal server with the traffic not originating from the internal network.
----------------------------------------------------------------------------------
class-map type inspect match-any TCP-UDP
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any FIREWALL_EXCEPTIONS_CLASS
match access-group name FIREWALL_EXCEPTIONS_ACL
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect FIREWALL_EXCEPTIONS_POLICY
class type inspect FIREWALL_EXCEPTIONS_CLASS
pass
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect TCP-UDP
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
zone security in-zone
zone security out-zone
zone security private-in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-private-in-out source private-in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-private-in source out-zone destination private-in-zone
service-policy type inspect FIREWALL_EXCEPTIONS_POLICY
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.10.210 88 interface Dialer0 88
ip nat inside source static udp 192.168.10.210 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.10.210 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.10.6 32400 interface Dialer0 32400
ip nat inside source static udp 192.168.10.6 32400 interface Dialer0 32400
!
ip access-list extended FIREWALL_EXCEPTIONS_ACL
permit udp any host 192.168.10.210 eq 88
permit udp any host 192.168.10.210 eq 3074
permit tcp any host 192.168.10.210 eq 3074
permit tcp any host 192.168.10.6 eq 32400
permit tcp any eq 32400 any
permit udp any host 192.168.10.6 eq 32400
permit udp any eq 32400 any
Solved! Go to Solution.
12-23-2013 11:00 AM
Hello Marcus,
So some mistakes here,
After briefly checking the configuration I determined traffic will flow from the Out-zone to the Private zone.
Policy from Private to Out
policy-map type inspect ccp-inspect
class type inspect TCP-UDP
inspect
class class-default
drop
Policy from Out to Private
policy-map type inspect FIREWALL_EXCEPTIONS_POLICY
class type inspect FIREWALL_EXCEPTIONS_CLASS
pass
class class-default
drop
With that confiuration this will never work as you are inspecting traffic on one way and on the other just let it go through with no stateful checks at all.
To resolve it
ip access-list Extended Julio_Rocks
permit udp any host 192.168.10.210 eq 88
permit udp any host 192.168.10.210 eq 3074
permit tcp any host 192.168.10.210 eq 3074
permit tcp any host 192.168.10.6 eq 32400
permit udp any host 192.168.10.6 eq 32400
class-map type inspect Julio_Rocks
match access-group name Julio_Rocks
policy-map type inspect FIREWALL_EXCEPTIONS_POLICY
no class FIREWALL_EXCEPTIONS_CLASS
class Julio_Rocks
inspect
Looking for a Network engineer, contact me directly at julio17carvajal@hotmail.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
11-04-2013 07:59 PM
Please post interface configuration, meaning get me a show run
12-22-2013 08:58 AM
Sorry for the delay, but here is a running config.. Thanks.
Current configuration : 6877 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
dot11 syslog
ip source-route
!
!
!
ip dhcp pool HOME
import all
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
!
!
ip cef
ip domain name home.local
no ipv6 cef
!
multilink bundle-name authenticated
!
!
vtp mode client
!
!
!
archive
log config
hidekeys
!
!
no ip ftp passive
!
class-map type inspect match-any TCP-UDP
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any FIREWALL_EXCEPTIONS_CLASS
match access-group name FIREWALL_EXCEPTIONS_ACL
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect FIREWALL_EXCEPTIONS_POLICY
class type inspect FIREWALL_EXCEPTIONS_CLASS
pass
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect TCP-UDP
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security in-zone
zone security out-zone
zone security private-in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-private-in-out source private-in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-private-in source out-zone destination private-in-zone
service-policy type inspect FIREWALL_EXCEPTIONS_POLICY
!
!
!
interface ATM0
no ip address
no ip redirects
no ip proxy-arp
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0.1 point-to-point
description WAN via ADSL
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description LINK TO SWITCH
switchport mode trunk
!
interface FastEthernet1
switchport mode trunk
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
description MANAGEMENT
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security private-in-zone
ip tcp adjust-mss 1412
!
interface Vlan10
description HOME_PRIVATE
ip address 192.168.10.254 255.255.255.0
ip helper-address 192.168.10.251
ip nat inside
ip virtual-reassembly
zone-member security private-in-zone
ip tcp adjust-mss 1412
!
interface Vlan20
description HOME_WORK
ip address 192.168.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Vlan30
description HOME_PUBLIC
ip address 192.168.30.254 255.255.255.0
ip helper-address 192.168.10.251
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer0
description ADSL Dialup
ip address negotiated
no ip redirects
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
ppp ipcp dns request
ppp ipcp address accept
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.10.210 88 interface Dialer0 88
ip nat inside source static udp 192.168.10.210 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.10.210 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.10.6 32400 interface Dialer0 32400
ip nat inside source static udp 192.168.10.6 32400 interface Dialer0 32400
!
ip access-list extended FIREWALL_EXCEPTIONS_ACL
permit udp any host 192.168.10.210 eq 88
permit udp any host 192.168.10.210 eq 3074
permit tcp any host 192.168.10.210 eq 3074
permit tcp any host 192.168.10.6 eq 32400
permit tcp any eq 32400 any
permit udp any host 192.168.10.6 eq 32400
permit udp any eq 32400 any
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
!
!
!
!
snmp-server community
snmp-server community
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input ssh
!
scheduler max-task-time 5000
end
12-23-2013 11:00 AM
Hello Marcus,
So some mistakes here,
After briefly checking the configuration I determined traffic will flow from the Out-zone to the Private zone.
Policy from Private to Out
policy-map type inspect ccp-inspect
class type inspect TCP-UDP
inspect
class class-default
drop
Policy from Out to Private
policy-map type inspect FIREWALL_EXCEPTIONS_POLICY
class type inspect FIREWALL_EXCEPTIONS_CLASS
pass
class class-default
drop
With that confiuration this will never work as you are inspecting traffic on one way and on the other just let it go through with no stateful checks at all.
To resolve it
ip access-list Extended Julio_Rocks
permit udp any host 192.168.10.210 eq 88
permit udp any host 192.168.10.210 eq 3074
permit tcp any host 192.168.10.210 eq 3074
permit tcp any host 192.168.10.6 eq 32400
permit udp any host 192.168.10.6 eq 32400
class-map type inspect Julio_Rocks
match access-group name Julio_Rocks
policy-map type inspect FIREWALL_EXCEPTIONS_POLICY
no class FIREWALL_EXCEPTIONS_CLASS
class Julio_Rocks
inspect
Looking for a Network engineer, contact me directly at julio17carvajal@hotmail.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
02-11-2014 03:53 AM
Hi Julio,
Nice one on fixing the problem.
Still cant see why traffic has to be treated the same way on out and in, thought if the inspect is set to allow the traffic in, then permitting without inspect on the way out just seems to make sense if the traffic is allowed both ways things would work.
Why does it have to be the same?
On another note; have you had any experience with VPN’s and ZBW? I have a config where there is a tunnel created and traffic sent out from the router seems fine (full bandwidth 70% CPU) yet on traffic coming in, the router hits about 80% usage and the speed is nowhere near when its capable of.
Bit stumped on this.. Does the VPN actually go to the router itself, thus using the outzone to self policy?
Thanks,
Marcus.
02-11-2014 04:09 AM
Hello,
So you are inspecting traffic from Out-To-In
Yeah I have experience with VPN .
Check my website for more info regarding ZBFW
http://www.laguiadelnetworking.com/zone-based-firewall-and-the-self-zone-integration/
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide