03-02-2016 12:05 AM - edited 03-12-2019 12:25 AM
Hi
I have the following problem. I want to access my PC from outside throught the ZBF.
I made my ZBF with CCP and by default RDP is not allowed. that's why , i made some changes in the configuration. This below is the log when I try to connect with RDP. Can someone tell me, where I the mistake
Thx
target:class)-(sdm-zp-NATOutsideToInside-1:class-default) Passing tcp pkt XXXXXXXXXXXXX:1138 => 10.1.1.3:3389 with ip ident 9212
Configuration:
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-nat-user-protocol--1-3
match access-group 105
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 103
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 104
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-2
match access-group 104
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 103
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-3
match access-group 105
match protocol user-protocol--2
class-map type inspect match-all CCP_SSLVPN
match access-group 102
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-any RDP_ACCESS
match access-group name RDP_ACCESS
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 106
class-map type inspect match-all RDP_ACCESS_TRAFFIC
match class-map RDP_ACCESS
match access-group 107
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 102
!
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class type inspect sdm-nat-user-protocol--2-2
inspect
class type inspect sdm-nat-user-protocol--1-3
inspect
class type inspect sdm-nat-user-protocol--2-3
inspect
class type inspect CCP_PPTP
pass
class type inspect RDP_ACCESS_TRAFFIC
pass
class class-default
pass log
policy-map type inspect ccp-permit
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class type inspect sdm-access
inspect
class type inspect SDM_DHCP_CLIENT_PT
pass
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class type inspect ccp-icmp-access
inspect
class class-default
pass
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security zp-in-zone-in-zone source in-zone destination in-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
!
!
!
interface Loopback10
description $FW_INSIDE$
ip address 10.2.2.1 255.255.255.0
zone-member security in-zone
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template10
description $FW_INSIDE$
ip unnumbered Loopback10
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface GigabitEthernet0
description INTERNET$FW_OUTSIDE$
ip address dhcp client-id GigabitEthernet0
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
!
interface wlan-ap0
ip address 200.200.200.1 255.255.255.0
arp timeout 0
!
interface Wlan-GigabitEthernet0
no ip address
!
interface Vlan1
description LAN$FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
ip local pool webvpn-pool 10.2.2.2 10.2.2.250
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 100 interface GigabitEthernet0 overload
ip nat inside source static tcp 10.1.1.3 3389 interface GigabitEthernet0 60006
ip nat inside source static udp 10.1.1.3 3389 interface GigabitEthernet0 60006
ip nat inside source static tcp 10.1.1.4 3389 interface GigabitEthernet0 60007
ip nat inside source static udp 10.1.1.4 3389 interface GigabitEthernet0 60007
ip nat inside source static tcp 10.1.1.2 3389 interface GigabitEthernet0 60005
ip nat inside source static udp 10.1.1.2 3389 interface GigabitEthernet0 60005
!
ip access-list extended RDP_ACCESS
permit tcp any any eq 60006
permit udp any any eq 60006
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 60004
!
logging host 10.1.1.2
!
!
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip any any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 10.1.1.3
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 10.1.1.4
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 10.1.1.2
access-list 106 remark CCP_ACL Category=128
access-list 106 permit ip any host XXXXXXXXX (MY WAN IP)
access-list 107 permit ip any host XXXXXXXXX (MY WAN IP)
03-02-2016 09:25 PM
This here seems to be the problem:
access-list 107 permit ip any host XXXXXXXXX (MY WAN IP)
class-map type inspect match-any RDP_ACCESS
match access-group name RDP_ACCESS
class-map type inspect match-all RDP_ACCESS_TRAFFIC
match class-map RDP_ACCESS
match access-group 107
In the first class-map you are referencing a named ACL called RDP_ACCESS. In the second class-map you are referencing the firs class-map and another ACL but this time with a match-all function. Essentially you are matching two ACLs and stating that for the traffic two match it must have both the IP referenced in the RDP_ACCESS and 107 ACL. Since a packet can not have two IP addresses, this will never match.
Two ways to solve this is to change the second class-map to a match-any or just remove the RDP_ACCESS match.
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide