Showing results for 
Search instead for 
Did you mean: 

ZBFW for user defined ports


We are just setting up a 2821 with ZBFW for our servers.

For simplicity we have only defined in-zone and out-zone.

All works fine for traffic such as HTTP, FTP, Email, etc. We NAT these to different servers and all is great.

Now we have to forward some ports that are not defined by Cisco, for example Microsoft Remote Desktop.

Using CCP, we have done the following:

Port to Application Mappings

    user-rdp3389 tcp 3389

Firewall Policy (out-zone to in-zone)

   any ->  service user-rdp3389  Inspect

This creates:

ip nat inside source static nnn.nnn.nnn.nnn

ip port-map user-rdp3389 port tcp 3389

class-map type inspect match-any datacenter_services

match protocol user-rdp3389

class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-19

match class-map datacenter_services

match access-group name datacenter

ip access-list extended datacenter

remark CCP_ACL Category=128

permit ip any host

The config for http traffic to another server looks almost exactly the same, but of course matching http traffic and works fine.

The config for RDP port 3389 however, does not work at all.

We are new to the ZBFW, so desperately need help with this.

Thanks in Advance;



Jennifer Halim
Cisco Employee
Cisco Employee

You don't need to configure PAM (Port Address Mapping) as you are not mapping the default port to a different port.

For RDP you are using the default port 3389, so all you need to configure on the router is:

1) Static NAT (or static PAT if you are just NATing port)

2) ZBFW configure to match that traffic.

Please kindly share the router configuration, and also what IP Address you would like to NAT the RDP server to, and we can help.

Except that there is no default map for RDP

Platform Cisco 2821 12.4(22)T5

show ip port-map has no entry for port 3389, hence why I am trying to define a user-rdp = 3389

As an experiment, I remapped pcanywheredata that is normally on port 5631 to 3389 and made a rule using pcanywheredata, and it worked. But strangely, only for one server and I need several forwards.

I also have a need to forward port12010, 12011, and 9854 through to servers. Again there is no default for these ports so a user- map would be required.

Any time I make a user defined port-map, I cannot seem to forward the port through the firewall.

As advised earlier, port map function is to map a non default port to the application specific, eg: HTTP default port is port 80, and if you are running HTTP on different port and would like to inspect it as if it's a HTTP traffic, then you would configure port map to map the non default port to HTTP.

What you are trying to achieve is just NATing RDP traffic so you can have access from the Internet (outside). What you would need to configure is not port map, but NAT and ZBFW inspection.

If you share a copy of "show run", we can help you to configure specifics for RDP (and please also advise what IP Address you would like to NAT the RDP to).


Don't forget RDP is working with UDP/TCP  and you should use static PAT and not static NAT as you did.



Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: