10-02-2018 05:20 AM
Hello,
I am trying to forward port 443 to an internal server (192.168.0.127) without success.
I've looked into all the documentation and guides that I was able to found and still nothing....
Network will be:
Cisco ISR 2951 with an VDSL WIC card connected to ISP with ip 91.X.X.X
Gi 0/0 connects to an unmanaged switch where 192.168.0.127 is connected.
Gi 0/1 connects to an AP.
Gi 0/2 is not connected.
This is the configuration that I've added:
ip nat inside source static tcp 192.168.0.127 443 interface Dialer1 443
ip nat inside source static tcp 192.168.0.127 443 91.X.X.X 443 extendable
ip access-list extended DENIED_WAN_ACCESS
deny tcp any host 192.168.0.1 eq telnet
deny tcp any any eq telnet
permit ip any any
permit tcp any host 91.X.X.X eq 443
permit ip any host 192.168.0.127
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
deny ip any any
permit tcp host 192.168.0.127 eq 443 host 91.X.X.X eq 443
permit tcp host 91.X.X.X eq 443 host 192.168.0.127 eq 443
permit tcp any eq 443 host 192.168.0.127 eq 443
I was able to access the router admin console (CCEXP) on port 443. I moved it to a different port.
I see this in the logs:
*Oct 2 11:49:48.420: %FW-6-DROP_PKT: Dropping tcp session 195.X.X.X:24257 192.168.0.127:443 on zone-pair WAN-LAN class class-default due to DROP action found in policy-map with ip ident 25344
At this point, I think I may be better deleting everything related and starting from scratch, because I have added so many things (I can list all the class-maps if needed) that I'm completely lost.
Can you please give me a hand?
Thanks.
10-02-2018 05:31 AM
check this document:
make sure you verify using:
show ip nat translation
10-02-2018 07:50 AM
Hello
Those logs relates to your ZBFW configuration however it hard to TS what you have actually configured, Is it possible for you to post the full configuration of your rtr
10-02-2018 09:17 AM
I managed to get it to work. I just removed everything NAT, policy and ACL related that re-did everything. The problem now is that Telnet and SSH are also open to the internet!!!
Here is my full configuration:
hades#sh run Building configuration... Current configuration : 10230 bytes ! ! Last configuration change at 14:17:21 GMT Tue Oct 2 2018 by ballantin ! version 15.5 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname hades ! boot-start-marker boot-end-marker ! ! enable secret 5 $1$ZBmxxxxrRVYtNVcA. enable password 7 121xxxx51E ! aaa new-model ! ! aaa authentication login local_access local ! ! ! ! ! aaa session-id common bsd-client server url https://cloudsso.cisco.com/as/token.oauth2 clock timezone GMT 0 0 ! ! crypto pki trustpoint TP-self-signed-20229xxx84 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-20229xxx84 revocation-check none rsakeypair TP-self-signed-20229xxx84 ! ! crypto pki certificate chain TP-self-signed-2022943784 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 32303232 39343337 3834301E 170D3138 30393330 30313539 33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 3E7EFE83 9E238CDC 95A3C3CA C4448BEB 8FBAEC11 A8427EEE 745F036B B10FEBAE B9097788 71372BCC 4B071C8D DD12723F B44BC517 9A6DAC53 6A44450D 2ADFCCDE 6A6BABA0 E0B9D8F7 F21B6F8B FB541A quit ! ! ! ! ! ! ! ! ip dhcp excluded-address 192.168.0.0 192.168.0.3 ! ip dhcp pool Pool1 import all network 192.168.0.0 255.255.255.0 default-router 192.168.0.1 dns-server 192.168.0.1 2xx.xxx.xxx.23 2xx.xxx.xxx.23 ! ! ! ip domain name ballantin.com ip name-server 2xx.xxx.xxx.23 ip name-server 2xx.xxx.xxx.23 ip cef no ipv6 cef ! ! flow record nbar-appmon match ipv4 source address match ipv4 destination address match application name collect interface output collect counter bytes collect counter packets collect timestamp absolute first collect timestamp absolute last ! ! flow monitor application-mon cache timeout active 60 record nbar-appmon ! parameter-map type inspect global max-incomplete low 18000 max-incomplete high 20000 nbar-classify ! multilink bundle-name authenticated ! ! cts logging verbose license udi pid CISCO2951/K9 sn FCZxxxxxQS ! ! object-group service INTERNAL_UTM_SERVICE ! object-group network Others_dst_net any ! object-group network Others_src_net any ! object-group service Others_svc ip ! object-group network Web_dst_net any ! object-group network Web_src_net any ! object-group service Web_svc ip ! object-group network allowhttps_dst_net any ! object-group network allowhttps_src_net any ! object-group service allowhttps_svc ip ! object-group network block-external_dst_net any ! object-group network block-external_src_net any ! object-group service block-external_svc ip ! object-group network lan-out_dst_net any ! object-group network lan-out_src_net any ! object-group service lan-out_svc ip ! object-group network local_cws_net ! object-group network local_lan_subnets 192.168.0.0 255.255.255.0 ! object-group network vpn_remote_subnets any ! username ballantin privilege 15 secret 5 $1$AyY7$Rxxxxxxn07NhQHex. ! redundancy ! ! ! ! ! controller VDSL 0/0/0 operating mode vdsl2 ! ! class-map type inspect match-any INTERNAL_DOMAIN_FILTER match protocol msnmsgr match protocol ymsgr class-map type inspect match-any Others_app match protocol https match protocol smtp match protocol pop3 match protocol imap match protocol sip match protocol ftp match protocol dns match protocol icmp class-map type inspect match-all lan-out match access-group name lan-out_acl class-map type inspect match-any allowhttps_app match protocol https class-map type inspect match-any block-external_app match protocol telnet match protocol secure-telnet match protocol dns class-map type inspect match-any Web_app match protocol http class-map type inspect match-all allowhttps match access-group name allowhttps_acl match class-map allowhttps_app class-map type inspect match-all Others match class-map Others_app match access-group name Others_acl class-map type inspect match-all Web match class-map Web_app match access-group name Web_acl class-map type inspect match-all block-external description Block External Access to admin resources match access-group name block-external_acl match class-map block-external_app ! policy-map type inspect LAN-WAN-POLICY class type inspect lan-out inspect class type inspect Web inspect class type inspect Others inspect class type inspect INTERNAL_DOMAIN_FILTER inspect class class-default drop log policy-map type inspect WAN-LAN-POLICY class type inspect allowhttps inspect class type inspect block-external drop log class type inspect INTERNAL_DOMAIN_FILTER inspect class class-default drop log ! zone security LAN zone security WAN zone security VPN zone security DMZ zone-pair security LAN-WAN source LAN destination WAN service-policy type inspect LAN-WAN-POLICY zone-pair security WAN-LAN source WAN destination LAN service-policy type inspect WAN-LAN-POLICY ! ! crypto isakmp policy 1 ! ! ! ! ! bridge irb ! ! ! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 no ip address ip access-group DENIED_WAN_ACCESS in ip access-group DENIED_WAN_ACCESS out ip nbar protocol-discovery ip flow monitor application-mon input ip flow ingress ip flow egress ip nat inside ip virtual-reassembly in zone-member security LAN ip tcp adjust-mss 1412 load-interval 30 duplex auto speed auto no mop enabled bridge-group 1 ! interface GigabitEthernet0/1 no ip address ip access-group DENIED_WAN_ACCESS in ip access-group DENIED_WAN_ACCESS out ip nbar protocol-discovery ip flow monitor application-mon input ip flow ingress ip flow egress ip nat inside ip virtual-reassembly in zone-member security LAN ip tcp adjust-mss 1412 load-interval 30 duplex auto speed auto bridge-group 1 ! interface GigabitEthernet0/2 no ip address ip access-group DENIED_WAN_ACCESS in ip access-group DENIED_WAN_ACCESS out ip nbar protocol-discovery ip flow monitor application-mon input ip flow ingress ip flow egress ip nat inside ip virtual-reassembly in zone-member security LAN load-interval 30 duplex auto speed auto bridge-group 1 ! interface ATM0/0/0 no ip address shutdown no atm ilmi-keepalive cdp enable ! interface Ethernet0/0/0 no ip address ip access-group DENIED_WAN_ACCESS in ip access-group DENIED_WAN_ACCESS out ! interface Ethernet0/0/0.1 description PrimaryWANDesc_IDNet encapsulation dot1Q 101 ip access-group DENIED_WAN_ACCESS in ip access-group DENIED_WAN_ACCESS out pppoe enable group global pppoe-client dial-pool-number 1 ! interface Dialer1 description PrimaryWANDesc_IDNet_Ethernet0/0/0.1 mtu 1492 ip address 9X.XXX.XXX.XXX 255.255.255.252 ip access-group DENIED_WAN_ACCESS in ip access-group DENIED_WAN_ACCESS out ip mtu 1452 ip nat outside ip virtual-reassembly in zone-member security WAN encapsulation ppp ip tcp adjust-mss 1412 dialer pool 1 dialer-group 1 ppp mtu adaptive ppp authentication chap callin ppp chap hostname 01908263840@idnet ppp chap password 7 091C1A514E0611410A ppp ipcp dns request no cdp enable ! interface BVI1 ip address 192.168.0.1 255.255.255.0 ip access-group DENIED_WAN_ACCESS in ip access-group DENIED_WAN_ACCESS out ip nbar protocol-discovery ip flow monitor application-mon input ip flow ingress ip flow egress ip nat inside ip virtual-reassembly in zone-member security LAN load-interval 30 ! router rip version 2 network 192.168.0.0 ! ip forward-protocol nd ! no ip http server ip http upload enable path flash: ip http upload overwrite ip http authentication local ip http secure-server ip http secure-port 1080 ip http timeout-policy idle 60 life 86400 requests 10000 ! ip dns server ip nat inside source list nat-list interface Dialer1 overload ip nat inside source static tcp 192.168.0.127 443 interface Dialer1 443 ip route 0.0.0.0 0.0.0.0 Dialer1 ! ip access-list extended DENIED_WAN_ACCESS deny tcp any host 192.168.0.1 eq telnet permit ip any any deny tcp any eq telnet any eq telnet deny tcp any any eq telnet ip access-list extended Others_acl permit object-group Others_svc object-group Others_src_net object-group Others_dst_net ip access-list extended Web_acl permit object-group Web_svc object-group Web_src_net object-group Web_dst_net ip access-list extended allowhttps_acl permit object-group allowhttps_svc object-group allowhttps_src_net object-group allowhttps_dst_net ip access-list extended block-external_acl permit object-group block-external_svc object-group block-external_src_net object-group block-external_dst_net ip access-list extended lan-out_acl permit object-group lan-out_svc object-group lan-out_src_net object-group lan-out_dst_net ip access-list extended nat-list permit ip object-group local_lan_subnets any deny ip any any ! ! ! snmp-server community public RO ! ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip ! ! line con 0 login authentication local_access line aux 0 line 2 no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 access-class 23 in privilege level 15 password 7 06565xxxxxxx541C39 login authentication local_access transport input telnet ssh ! scheduler allocate 20000 1000 ! end
10-03-2018 12:49 AM
So I fixed the issue myself thanks to some other post ( https://community.cisco.com/t5/switching/how-to-close-port/td-p/2339250 ).
I just had to use the sequence numbers in my access-list. So now it is
ip access-list extended DENIED_WAN_ACCESS
60 deny tcp any any eq telnet
61 deny tcp any any eq 22
70 permit ip any any
I don't know why, but when I do the "sh run" command the sequence numbers does not show, but the entries are in order.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide