Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2607
Views
0
Helpful
5
Replies

Port forwarding thru ZBFW

Jiri Solc
Level 5
Level 5

‎10-24-2011 06:18 AM - edited ‎03-11-2019 02:41 PM

I've deployed Zone Based Firewall with serveral zones at customer site. I'm trying to get some services (ssh and RDP) be accessible on inside hosts NATed to outside interface IP address. With ACL and inspect its easy, but can't get it working with ZBFW.

Traces (audit trails) are showing some communication, but never get thru :-(

Oct 24 14:38:53.693: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTSIDE_LAN:SERVERY_RDP):Stop user-etd-rd:25020) sent 0 bytes -- responder (10.37.61.10:3389) sent 0 bytes

As I've read in Cisco Press Book Cisco Firewalls on page 391:

"Translation of the source address happens before inspection."

I'm allowing source from outside to inside based on inside specificaions (inside IP and inside destination port).

Cisco 881 with IOS Version 15.2(1)T.

Can anyone please help me address where is the problem with inspection and why I can't connect trhu ZBFW?

Scenario:

ZBFW Building Blocks

Zones:

interface Vlan5 (IP 10.0.0.252/24) - zone LAN

interface Fa4.100 (IP 1.1.1.1/29) - zone OUTSIDE

Zone-Pairs:

Zone-pair name OUTSIDE_LAN

    Source-Zone OUTSIDE  Destination-Zone LAN

    service-policy Internet-to-LAN

Policy:

Policy Map type inspect Internet-to-LAN

    Class SERVERY_RDP

      Inspect INSP

    Class SERVERY_SSH

      Inspect INSP

    Class class-default

      Drop log

Classes:

Class Map type inspect match-all SERVERY_SSH

   Match protocol ssh

   Match access-group name SERVERY_SSH

Class Map type inspect match-all SERVERY_RDP

   Match protocol user-etd-rdp

   Match access-group name SERVERY_RDP

ACLs:

Extended IP access list SERVERY_RDP

    10 permit ip any host 10.0.0.10 (14 matches)

    20 permit ip any host 10.0.0.24 (4 matches)

Extended IP access list SERVERY_SSH

    10 permit ip any host 10.0.0.48 (3 matches)

    20 permit ip any host 10.0.0.47

NAT:

- correctly I believe, works flawlessly without ZBFW

Relevant parts of config are attached below:

interface FastEthernet4.100

description Internet (data)

encapsulation dot1Q 100

ip address 1.1.1.1 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

zone-member security OUTSIDE

no cdp enable

interface Vlan5

description DATA

ip address 10.0.0.252 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security LAN

zone security OUTSIDE

zone security LAN

zone-pair security OUTSIDE_LAN source OUTSIDE destination LAN

service-policy type inspect Internet-to-LAN

policy-map type inspect Internet-to-LAN

class type inspect SERVERY_RDP

  inspect INSP

class type inspect SERVERY_SSH

  inspect INSP

class class-default

  drop log

class-map type inspect match-all SERVERY_RDP

match protocol user-etd-rdp

match access-group name SERVERY_RDP

class-map type inspect match-all SERVERY_SSH

match protocol ssh

match access-group name SERVERY_SSH

ip access-list extended SERVERY_RDP

permit ip any host 10.0.0.10

permit ip any host 10.0.0.24

ip access-list extended SERVERY_SSH

permit ip any host 10.0.0.48

permit ip any host 10.0.0.47

ip port-map user-etd-rdp port tcp from 3389 to 3390

parameter-map type inspect INSP

audit-trail on

ip nat inside source static tcp 10.0.0.10 3389 interface FastEthernet4.100 3389

ip nat inside source static tcp 10.0.0.24 3390 interface FastEthernet4.100 3390

ip nat inside source static tcp 10.0.0.48 22 interface FastEthernet4.100 4122

ip nat inside source route-map rmnat interface FastEthernet4.100 overload

route-map rmnat permit 10

match ip address nat

ip access-list extended nat

remark ** NoNAT RFC 1918 **

deny   ip any 192.168.0.0 0.0.255.255

deny   ip any 172.16.0.0 0.15.255.255

deny   ip any 10.0.0.0 0.255.255.255

remark ** NAT DATA LAN **

permit ip 10.0.0.0 0.0.0.255 any

When I'm tring to get thru from outside network with RDP to 1.1.1.1:3389 I get following log:

Oct 24 15:12:26.572: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTSIDE_LAN:SERVERY_RDP):Start user-etd-rdp session: initiator (2.2.2.2:45452) -- responder (10.0.0.10:3389)

Oct 24 15:12:57.217: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTSIDE_LAN:SERVERY_RDP):Stop user-etd-rdp session: initiator (

2.2.2.2:45452) sent 0 bytes -- responder (10.0.0.10:3389) sent 0 bytes

And "show ip nat translation":

tcp 1.1.1.1:3389        10.0.0.10:3389      2.2.2.2:45452     2.2.2.2:45452

tcp 1.1.1.1:3389        10.0.0.10:3389      ---                   ---

Nothing goes thru so far , any ideas why?

Thanks a lot, regards,

jiri

Labels:
0 Helpful
5 Replies 5

cadet alain
VIP Alumni
VIP Alumni

‎10-24-2011 06:29 AM

Hi,

class-map type inspect match-all SERVERY_RDP

match protocol user-etd-rdp

match access-group name SERVERY_RDP

ip port-map user-rdp port tcp from 3389 to 3390

Seems there is a typo in the inspect class SERVERY_RDP change

match protocol user-etd-rdp  to match protocol user-rdp

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Jiri Solc
Level 5
Level 5
In response to cadet alain

‎10-25-2011 02:12 AM

No, not a typo, I made a mistake when writing a config down here.

Corrected..

But concept is right, isn't it?

I have to match Protocol AND IP range (if I want to narrow firewall hole by it) with use of Internal addresses.. Bad thing is SSH is not working either, it's not only in "custom ports" RDP protocol issue.

Regards,

Jiri

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Jiri Solc

‎10-25-2011 03:14 AM

Hi,

yes concept is right but you could also just use an ACL alone for well-known protocols.

Gonna peek at config for ssh and let you know.

Can you add this global config command: ip inspect log drop-pkt.

And also try the ssh and sh ip nat translation | i 22

Alain.

Don't forget to rate helpful posts.
0 Helpful

Jiri Solc
Level 5
Level 5
In response to cadet alain

‎10-25-2011 03:33 AM

You mean not to use "match-all" to Protocol and general IP ACL, but use Extended ACL instead? I've tried but with no luck :-(

I changed ACL to looks like this:

ip access-list extended SERVERY_RDP

permit tcp any host 10.0.0.10 eq 3389

and CM to look like this:

class-map type inspect match-all SERVERY_RDP

match access-group name SERVERY_RDP

Output logs:

Oct 25 12:24:59.264: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(OUTSIDE_LAN:SERVERY_RDP):Start tcp session: initiator (2.2.2.2:47393) -- responder (10.0.0.10:3389)

#sh policy-firewall session zone-pair OUTSIDE_LAN

Zone-pair: OUTSIDE_LAN

  Service-policy inspect : Internet-to-LAN

    Class-map : SERVERY_RDP(match-all)

      Half-open Sessions = 1

        Session 8663A6E0 (2.2.2.2:47393)=>(10.0.0.10:3389) tcp SIS_OPENING/TCP_SYNSENT

          Created 00:00:25, Last heard 00:00:25

          Bytes sent (initiator:responder) [0:0]

    Class-map : class-default(match-any)

Oct 25 12:25:29.677: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(OUTSIDE_LAN:SERVERY_RDP):Stop tcp session: initiator (2.2.2.2:47393) sent 0 bytes -- responder (10.0.0.10:3389) sent 0 bytes

#sh access-list SERVERY_RDP

Extended IP access list SERVERY_RDP

    10 permit tcp any host 10.37.61.10 eq 3389 (7 matches)

I don't understand why is the session only half-open and 3way handshake wont proceed. ZBFW should open hole dynamicly on reverse direction.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Jiri Solc

‎10-25-2011 03:41 AM

Hi,

post entire config and do what I asked above for ssh  and post results as well as log output if any.

Alain.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card