cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
402
Views
0
Helpful
1
Replies

RDP through ZBF

Yordan1
Level 1
Level 1

Hi

 

I have the following problem. I want to access my PC from outside throught the ZBF.

I made my ZBF with CCP and by default RDP is not allowed. that's why , i made some changes in the configuration. This below is the log when I try to connect with RDP. Can someone tell me, where I the mistake

Thx

 

target:class)-(sdm-zp-NATOutsideToInside-1:class-default) Passing tcp pkt XXXXXXXXXXXXX:1138 => 10.1.1.3:3389 with ip ident 9212

Configuration:

!

class-map type inspect match-any SDM_BOOTPC

 match access-group name SDM_BOOTPC

class-map type inspect match-all sdm-nat-user-protocol--1-3

 match access-group 105

 match protocol user-protocol--1

class-map type inspect match-all sdm-nat-user-protocol--2-1

 match access-group 103

 match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--1-2

 match access-group 104

 match protocol user-protocol--1

class-map type inspect match-all sdm-nat-user-protocol--2-2

 match access-group 104

 match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--1-1

 match access-group 103

 match protocol user-protocol--1

class-map type inspect match-all sdm-nat-user-protocol--2-3

 match access-group 105

 match protocol user-protocol--2

class-map type inspect match-all CCP_SSLVPN

 match access-group 102

class-map type inspect match-any ccp-skinny-inspect

 match protocol skinny

class-map type inspect match-any sdm-cls-bootps

 match protocol bootps

class-map type inspect match-any SDM_WEBVPN

 match access-group name SDM_WEBVPN

class-map type inspect match-any RDP_ACCESS

 match access-group name RDP_ACCESS

class-map type inspect match-any ccp-h323nxg-inspect

 match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

 match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

 match protocol h323-annexe

class-map type inspect match-any ccp-cls-insp-traffic

 match protocol pptp

 match protocol dns

 match protocol ftp

 match protocol https

 match protocol icmp

 match protocol imap

 match protocol pop3

 match protocol netshow

 match protocol shell

 match protocol realmedia

 match protocol rtsp

 match protocol smtp

 match protocol sql-net

 match protocol streamworks

 match protocol tftp

 match protocol vdolive

 match protocol tcp

 match protocol udp

class-map type inspect match-any SDM_SSH

 match access-group name SDM_SSH

class-map type inspect match-any SDM_HTTPS

 match access-group name SDM_HTTPS

class-map type inspect match-all SDM_GRE

 match access-group name SDM_GRE

class-map type inspect match-any SDM_SHELL

 match access-group name SDM_SHELL

class-map type inspect match-any ccp-h323-inspect

 match protocol h323

class-map type inspect match-all ccp-invalid-src

 match access-group 101

class-map type inspect match-any ccp-sip-inspect

 match protocol sip

class-map type inspect match-all ccp-protocol-http

 match protocol http

class-map type inspect match-any sdm-cls-access

 match class-map SDM_HTTPS

 match class-map SDM_SSH

 match class-map SDM_SHELL

class-map type inspect match-any SDM_DHCP_CLIENT_PT

 match class-map SDM_BOOTPC

class-map type inspect match-any CCP_PPTP

 match class-map SDM_GRE

class-map type inspect match-all SDM_WEBVPN_TRAFFIC

 match class-map SDM_WEBVPN

 match access-group 106

class-map type inspect match-all RDP_ACCESS_TRAFFIC

 match class-map RDP_ACCESS

 match access-group 107

class-map type inspect match-all ccp-insp-traffic

 match class-map ccp-cls-insp-traffic

class-map type inspect match-all ccp-icmp-access

 match class-map ccp-cls-icmp-access

class-map type inspect match-all sdm-access

 match class-map sdm-cls-access

 match access-group 102

!

policy-map type inspect ccp-inspect

 class type inspect ccp-invalid-src

  drop log

 class type inspect ccp-protocol-http

  inspect

 class type inspect ccp-insp-traffic

  inspect

 class type inspect ccp-sip-inspect

  inspect

 class type inspect ccp-h323-inspect

  inspect

 class type inspect ccp-h323annexe-inspect

  inspect

 class type inspect ccp-h225ras-inspect

  inspect

 class type inspect ccp-h323nxg-inspect

  inspect

 class type inspect ccp-skinny-inspect

  inspect

 class class-default

  drop

policy-map type inspect sdm-pol-NATOutsideToInside-1

 class type inspect sdm-nat-user-protocol--1-1

  inspect

 class type inspect sdm-nat-user-protocol--2-1

  inspect

 class type inspect sdm-nat-user-protocol--1-2

  inspect

 class type inspect sdm-nat-user-protocol--2-2

  inspect

 class type inspect sdm-nat-user-protocol--1-3

  inspect

 class type inspect sdm-nat-user-protocol--2-3

  inspect

 class type inspect CCP_PPTP

  pass

 class type inspect RDP_ACCESS_TRAFFIC

  pass

 class class-default

  pass log

policy-map type inspect ccp-permit

 class type inspect SDM_WEBVPN_TRAFFIC

  inspect

 class type inspect sdm-access

  inspect

 class type inspect SDM_DHCP_CLIENT_PT

  pass

 class type inspect ccp-sip-inspect

  inspect

 class type inspect ccp-h323-inspect

  inspect

 class type inspect ccp-h323annexe-inspect

  inspect

 class type inspect ccp-h225ras-inspect

  inspect

 class type inspect ccp-h323nxg-inspect

  inspect

 class type inspect ccp-skinny-inspect

  inspect

 class class-default

  drop

policy-map type inspect ccp-sslvpn-pol

 class type inspect CCP_SSLVPN

  pass

 class class-default

  drop

policy-map type inspect ccp-permit-icmpreply

 class type inspect sdm-cls-bootps

  pass

 class type inspect ccp-sip-inspect

  inspect

 class type inspect ccp-h323-inspect

  inspect

 class type inspect ccp-h323annexe-inspect

  inspect

 class type inspect ccp-h225ras-inspect

  inspect

 class type inspect ccp-h323nxg-inspect

  inspect

 class type inspect ccp-skinny-inspect

  inspect

 class type inspect ccp-icmp-access

  inspect

 class class-default

  pass

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

 service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

 service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

 service-policy type inspect ccp-permit-icmpreply

zone-pair security zp-in-zone-in-zone source in-zone destination in-zone

 service-policy type inspect ccp-sslvpn-pol

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

 service-policy type inspect sdm-pol-NATOutsideToInside-1

!

!

!

!

!

!

!

!

!

!

interface Loopback10

 description $FW_INSIDE$

 ip address 10.2.2.1 255.255.255.0

 zone-member security in-zone

!

interface BRI0

 no ip address

 encapsulation hdlc

 shutdown

 isdn termination multidrop

!

interface FastEthernet0

 no ip address

!

interface FastEthernet1

 no ip address

!

interface FastEthernet2

 no ip address

!

interface FastEthernet3

 no ip address

!

interface FastEthernet4

 no ip address

!

interface FastEthernet5

 no ip address

!

interface FastEthernet6

 no ip address

!

interface FastEthernet7

 no ip address

!

interface FastEthernet8

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface Virtual-Template10

 description $FW_INSIDE$

 ip unnumbered Loopback10

 ip nat inside

 ip virtual-reassembly in

 zone-member security in-zone

!

interface GigabitEthernet0

 description INTERNET$FW_OUTSIDE$

 ip address dhcp client-id GigabitEthernet0

 ip nat outside

 ip virtual-reassembly in

 zone-member security out-zone

 duplex auto

 speed auto

!

interface wlan-ap0

 ip address 200.200.200.1 255.255.255.0

 arp timeout 0

!

interface Wlan-GigabitEthernet0

 no ip address

!

interface Vlan1

 description LAN$FW_INSIDE$

 ip address 10.1.1.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

 zone-member security in-zone

!

ip local pool webvpn-pool 10.2.2.2 10.2.2.250

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

!

ip nat inside source list 100 interface GigabitEthernet0 overload

ip nat inside source static tcp 10.1.1.3 3389 interface GigabitEthernet0 60006

ip nat inside source static udp 10.1.1.3 3389 interface GigabitEthernet0 60006

ip nat inside source static tcp 10.1.1.4 3389 interface GigabitEthernet0 60007

ip nat inside source static udp 10.1.1.4 3389 interface GigabitEthernet0 60007

ip nat inside source static tcp 10.1.1.2 3389 interface GigabitEthernet0 60005

ip nat inside source static udp 10.1.1.2 3389 interface GigabitEthernet0 60005

!

ip access-list extended RDP_ACCESS

 permit tcp any any eq 60006

 permit udp any any eq 60006

ip access-list extended SDM_BOOTPC

 remark CCP_ACL Category=0

 permit udp any any eq bootpc

ip access-list extended SDM_GRE

 remark CCP_ACL Category=1

 permit gre any any

ip access-list extended SDM_HTTPS

 remark CCP_ACL Category=1

 permit tcp any any eq 443

ip access-list extended SDM_SHELL

 remark CCP_ACL Category=1

 permit tcp any any eq cmd

ip access-list extended SDM_SSH

 remark CCP_ACL Category=1

 permit tcp any any eq 22

ip access-list extended SDM_WEBVPN

 remark CCP_ACL Category=1

 permit tcp any any eq 60004

!

logging host 10.1.1.2

!

!

access-list 100 permit ip any any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip host 255.255.255.255 any

access-list 101 permit ip 127.0.0.0 0.255.255.255 any

access-list 102 remark CCP_ACL Category=128

access-list 102 permit ip any any

access-list 103 remark CCP_ACL Category=0

access-list 103 permit ip any host 10.1.1.3

access-list 104 remark CCP_ACL Category=0

access-list 104 permit ip any host 10.1.1.4

access-list 105 remark CCP_ACL Category=0

access-list 105 permit ip any host 10.1.1.2

access-list 106 remark CCP_ACL Category=128

access-list 106 permit ip any host XXXXXXXXX (MY WAN IP)

access-list 107 permit ip any host XXXXXXXXX (MY WAN IP)

1 Reply 1

This here seems to be the problem:

access-list 107 permit ip any host XXXXXXXXX (MY WAN IP)

class-map type inspect match-any RDP_ACCESS

   match access-group name RDP_ACCESS

class-map type inspect match-all RDP_ACCESS_TRAFFIC

   match class-map RDP_ACCESS

   match access-group 107

In the first class-map you are referencing a named ACL called RDP_ACCESS.  In the second class-map you are referencing the firs class-map and another ACL but this time with a match-all function.  Essentially you are matching two ACLs and stating that for the traffic two match it must have both the IP referenced in the RDP_ACCESS and 107 ACL. Since a packet can not have two IP addresses, this will never match.

Two ways to solve this is to change the second class-map to a match-any or just remove the RDP_ACCESS match.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card