10-24-2011 06:18 AM - edited 03-11-2019 02:41 PM
I've deployed Zone Based Firewall with serveral zones at customer site. I'm trying to get some services (ssh and RDP) be accessible on inside hosts NATed to outside interface IP address. With ACL and inspect its easy, but can't get it working with ZBFW.
Traces (audit trails) are showing some communication, but never get thru :-(
Oct 24 14:38:53.693: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTSIDE_LAN:SERVERY_RDP):Stop user-etd-rd:25020) sent 0 bytes -- responder (10.37.61.10:3389) sent 0 bytes
As I've read in Cisco Press Book Cisco Firewalls on page 391:
"Translation of the source address happens before inspection."
I'm allowing source from outside to inside based on inside specificaions (inside IP and inside destination port).
Cisco 881 with IOS Version 15.2(1)T.
Can anyone please help me address where is the problem with inspection and why I can't connect trhu ZBFW?
Scenario:
ZBFW Building Blocks
Zones:
interface Vlan5 (IP 10.0.0.252/24) - zone LAN
interface Fa4.100 (IP 1.1.1.1/29) - zone OUTSIDE
Zone-Pairs:
Zone-pair name OUTSIDE_LAN
Source-Zone OUTSIDE Destination-Zone LAN
service-policy Internet-to-LAN
Policy:
Policy Map type inspect Internet-to-LAN
Class SERVERY_RDP
Inspect INSP
Class SERVERY_SSH
Inspect INSP
Class class-default
Drop log
Classes:
Class Map type inspect match-all SERVERY_SSH
Match protocol ssh
Match access-group name SERVERY_SSH
Class Map type inspect match-all SERVERY_RDP
Match protocol user-etd-rdp
Match access-group name SERVERY_RDP
ACLs:
Extended IP access list SERVERY_RDP
10 permit ip any host 10.0.0.10 (14 matches)
20 permit ip any host 10.0.0.24 (4 matches)
Extended IP access list SERVERY_SSH
10 permit ip any host 10.0.0.48 (3 matches)
20 permit ip any host 10.0.0.47
NAT:
- correctly I believe, works flawlessly without ZBFW
Relevant parts of config are attached below:
interface FastEthernet4.100
description Internet (data)
encapsulation dot1Q 100
ip address 1.1.1.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
no cdp enable
interface Vlan5
description DATA
ip address 10.0.0.252 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN
zone security OUTSIDE
zone security LAN
zone-pair security OUTSIDE_LAN source OUTSIDE destination LAN
service-policy type inspect Internet-to-LAN
policy-map type inspect Internet-to-LAN
class type inspect SERVERY_RDP
inspect INSP
class type inspect SERVERY_SSH
inspect INSP
class class-default
drop log
class-map type inspect match-all SERVERY_RDP
match protocol user-etd-rdp
match access-group name SERVERY_RDP
class-map type inspect match-all SERVERY_SSH
match protocol ssh
match access-group name SERVERY_SSH
ip access-list extended SERVERY_RDP
permit ip any host 10.0.0.10
permit ip any host 10.0.0.24
ip access-list extended SERVERY_SSH
permit ip any host 10.0.0.48
permit ip any host 10.0.0.47
ip port-map user-etd-rdp port tcp from 3389 to 3390
parameter-map type inspect INSP
audit-trail on
ip nat inside source static tcp 10.0.0.10 3389 interface FastEthernet4.100 3389
ip nat inside source static tcp 10.0.0.24 3390 interface FastEthernet4.100 3390
ip nat inside source static tcp 10.0.0.48 22 interface FastEthernet4.100 4122
ip nat inside source route-map rmnat interface FastEthernet4.100 overload
route-map rmnat permit 10
match ip address nat
ip access-list extended nat
remark ** NoNAT RFC 1918 **
deny ip any 192.168.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 10.0.0.0 0.255.255.255
remark ** NAT DATA LAN **
permit ip 10.0.0.0 0.0.0.255 any
When I'm tring to get thru from outside network with RDP to 1.1.1.1:3389 I get following log:
Oct 24 15:12:26.572: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTSIDE_LAN:SERVERY_RDP):Start user-etd-rdp session: initiator (2.2.2.2:45452) -- responder (10.0.0.10:3389)
Oct 24 15:12:57.217: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTSIDE_LAN:SERVERY_RDP):Stop user-etd-rdp session: initiator (
2.2.2.2:45452) sent 0 bytes -- responder (10.0.0.10:3389) sent 0 bytes
And "show ip nat translation":
tcp 1.1.1.1:3389 10.0.0.10:3389 2.2.2.2:45452 2.2.2.2:45452
tcp 1.1.1.1:3389 10.0.0.10:3389 --- ---
Nothing goes thru so far , any ideas why?
Thanks a lot, regards,
jiri
10-24-2011 06:29 AM
Hi,
class-map type inspect match-all SERVERY_RDP
match protocol user-etd-rdp
match access-group name SERVERY_RDP
ip port-map user-rdp port tcp from 3389 to 3390
Seems there is a typo in the inspect class SERVERY_RDP change
match protocol user-etd-rdp to match protocol user-rdp
Regards.
Alain.
10-25-2011 02:12 AM
No, not a typo, I made a mistake when writing a config down here.
Corrected..
But concept is right, isn't it?
I have to match Protocol AND IP range (if I want to narrow firewall hole by it) with use of Internal addresses.. Bad thing is SSH is not working either, it's not only in "custom ports" RDP protocol issue.
Regards,
Jiri
10-25-2011 03:14 AM
Hi,
yes concept is right but you could also just use an ACL alone for well-known protocols.
Gonna peek at config for ssh and let you know.
Can you add this global config command: ip inspect log drop-pkt.
And also try the ssh and sh ip nat translation | i 22
Alain.
10-25-2011 03:33 AM
You mean not to use "match-all" to Protocol and general IP ACL, but use Extended ACL instead? I've tried but with no luck :-(
I changed ACL to looks like this:
ip access-list extended SERVERY_RDP
permit tcp any host 10.0.0.10 eq 3389
and CM to look like this:
class-map type inspect match-all SERVERY_RDP
match access-group name SERVERY_RDP
Output logs:
Oct 25 12:24:59.264: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTSIDE_LAN:SERVERY_RDP):Start tcp session: initiator (2.2.2.2:47393) -- responder (10.0.0.10:3389)
#sh policy-firewall session zone-pair OUTSIDE_LAN
Zone-pair: OUTSIDE_LAN
Service-policy inspect : Internet-to-LAN
Class-map : SERVERY_RDP(match-all)
Half-open Sessions = 1
Session 8663A6E0 (2.2.2.2:47393)=>(10.0.0.10:3389) tcp SIS_OPENING/TCP_SYNSENT
Created 00:00:25, Last heard 00:00:25
Bytes sent (initiator:responder) [0:0]
Class-map : class-default(match-any)
Oct 25 12:25:29.677: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTSIDE_LAN:SERVERY_RDP):Stop tcp session: initiator (2.2.2.2:47393) sent 0 bytes -- responder (10.0.0.10:3389) sent 0 bytes
#sh access-list SERVERY_RDP
Extended IP access list SERVERY_RDP
10 permit tcp any host 10.37.61.10 eq 3389 (7 matches)
I don't understand why is the session only half-open and 3way handshake wont proceed. ZBFW should open hole dynamicly on reverse direction.
10-25-2011 03:41 AM
Hi,
post entire config and do what I asked above for ssh and post results as well as log output if any.
Alain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide