We are just setting up a 2821 with ZBFW for our servers.
For simplicity we have only defined in-zone and out-zone.
All works fine for traffic such as HTTP, FTP, Email, etc. We NAT these to different servers and all is great.
Now we have to forward some ports that are not defined by Cisco, for example Microsoft Remote Desktop.
Using CCP, we have done the following:
Port to Application Mappings
user-rdp3389 tcp 3389
Firewall Policy (out-zone to in-zone)
any -> 10.0.10.96 service user-rdp3389 Inspect
ip nat inside source static 10.0.10.96 nnn.nnn.nnn.nnn
ip port-map user-rdp3389 port tcp 3389
class-map type inspect match-any datacenter_services
match protocol user-rdp3389
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-19
match class-map datacenter_services
match access-group name datacenter
ip access-list extended datacenter
remark CCP_ACL Category=128
permit ip any host 10.0.10.96
The config for http traffic to another server looks almost exactly the same, but of course matching http traffic and works fine.
The config for RDP port 3389 however, does not work at all.
We are new to the ZBFW, so desperately need help with this.
Thanks in Advance;
You don't need to configure PAM (Port Address Mapping) as you are not mapping the default port to a different port.
For RDP you are using the default port 3389, so all you need to configure on the router is:
1) Static NAT (or static PAT if you are just NATing port)
2) ZBFW configure to match that traffic.
Please kindly share the router configuration, and also what IP Address you would like to NAT the RDP server to, and we can help.
Except that there is no default map for RDP
Platform Cisco 2821 12.4(22)T5
show ip port-map has no entry for port 3389, hence why I am trying to define a user-rdp = 3389
As an experiment, I remapped pcanywheredata that is normally on port 5631 to 3389 and made a rule using pcanywheredata, and it worked. But strangely, only for one server and I need several forwards.
I also have a need to forward port12010, 12011, and 9854 through to servers. Again there is no default for these ports so a user- map would be required.
Any time I make a user defined port-map, I cannot seem to forward the port through the firewall.
As advised earlier, port map function is to map a non default port to the application specific, eg: HTTP default port is port 80, and if you are running HTTP on different port and would like to inspect it as if it's a HTTP traffic, then you would configure port map to map the non default port to HTTP.
What you are trying to achieve is just NATing RDP traffic so you can have access from the Internet (outside). What you would need to configure is not port map, but NAT and ZBFW inspection.
If you share a copy of "show run", we can help you to configure specifics for RDP (and please also advise what IP Address you would like to NAT the RDP to).
Don't forget RDP is working with UDP/TCP and you should use static PAT and not static NAT as you did.