10-26-2012 08:09 AM - edited 03-11-2019 05:14 PM
I've got a single router (IOS 15.0), 1 inside interface (vlan1) and one outside int, gig0. Using Zone-based firewall.
Router has NAT, using a static entry as follows:
ip nat inside source static tcp 192.168.5.150 3389 <my external ip> 35411 extendable
With the ZFW off, this port translation works and I am able to RDP to the internal system from an external source.
With ZFW enabled, it fails. Logging shows that the packets are being dropped by the outside-inside policy map, by the class: class default map. MI am new to ZFW but my interpretation is that this simply means that the packet did not meet any of the other class map criteria for that policy map thus it defaulted to the drop action which is the default class map termintating any policy map.
The question is why didn't it meet the criteria. Here is the policy and class maps that govern the outside-inside zone pair:
Class Map type inspect match-any outside-inside
Match access-group 166
Match class-map inbound-protocols
For reference, class map "inbound-protocols" is below:
Class Map type inspect match-any inbound-protocols
Match protocol smtp
Match protocol http
Match protocol https
And the contents of access list 166 is:
10 permit tcp any any eq 35411
The policy map applied to the zone pair is:
Router#sh policy-map type inspect
Policy Map type inspect outside-inside
Class outside-inside
Inspect
Class class-default
Drop
On the outside-inside class map, I had also tried match-all instead of match-any, same result in the logging (sh run | i FW).
Also the external host CAN reach the internal web server (80, 443) using similar static NAT entries and through the firewall except since those are using standard ports, no PAT is taking place. this RDP thing is the only entry mapping port 35411 to 3389.
Not sure if there is some other type of logging I should look at, or what. I am new to many aspects of this stuff including logging so please feel free to dummy-talk with me as it's very possible I may be missing something simple.
Thank you!
Solved! Go to Solution.
10-26-2012 11:06 AM
Hello Valley,
Nat goes first than ZBFW.
Do the following:
IP access-list extended 166
permit tcp any host 192.168.5.150 eq 3389
Remember to rate all of the helpful post,
Julio
10-26-2012 11:06 AM
Hello Valley,
Nat goes first than ZBFW.
Do the following:
IP access-list extended 166
permit tcp any host 192.168.5.150 eq 3389
Remember to rate all of the helpful post,
Julio
10-26-2012 12:30 PM
Wow I didn't know that (NAT before ZFW). That is very good to know.
Well,. it turns out I solved my problem a different way, although i will test yours too so I can get the hands on experience.
I ended up making my own protocol by using ip port-map user-RDP tcp port 3389 and making a new class map for it.
I did it based on another thread of yours, but had no idea of the effect because at the time I thought ZFW was first before NAT so I did not understand how creating a protocol inspection for 3389 woudl affect thte firewall.
Anywya, it worked so to keep the config clean I'll add it to my other class map list of allowed protocols rather than have a seperate ACL or a seperate class map. I am still pre-CCNA so am learning new things so will be trying out your ACL solution too.
By the way I still need you to call me, but for Self zone and VPN talk.
Thanks for your help!
10-26-2012 12:35 PM
Hello,
Sure, I will
Glad I could help.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide