Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1053
Views
0
Helpful
4
Replies

Problem forwarding port - ISR 2951

Ballantin
Level 1
Level 1

‎10-02-2018 05:20 AM

Hello,

I am trying to forward port 443 to an internal server (192.168.0.127) without success.

I've looked into all the documentation and guides that I was able to found and still nothing....

 

Network will be:

Cisco ISR 2951 with an VDSL WIC card connected to ISP with ip 91.X.X.X

Gi 0/0 connects to an unmanaged switch where 192.168.0.127 is connected.

Gi 0/1 connects to an AP.

Gi 0/2 is not connected.

 

This is the configuration that I've added:

 

 

ip nat inside source static tcp 192.168.0.127 443 interface Dialer1 443
ip nat inside source static tcp 192.168.0.127 443 91.X.X.X 443 extendable

 

ip access-list extended DENIED_WAN_ACCESS
deny tcp any host 192.168.0.1 eq telnet
deny tcp any any eq telnet
permit ip any any
permit tcp any host 91.X.X.X eq 443
permit ip any host 192.168.0.127

 

ip access-list extended nat-list
permit ip object-group local_lan_subnets any
deny ip any any
permit tcp host 192.168.0.127 eq 443 host 91.X.X.X eq 443
permit tcp host 91.X.X.X eq 443 host 192.168.0.127 eq 443
permit tcp any eq 443 host 192.168.0.127 eq 443

 

I was able to access the router admin console (CCEXP) on port 443. I moved it to a different port.

I see this in the logs:

*Oct 2 11:49:48.420: %FW-6-DROP_PKT: Dropping tcp session 195.X.X.X:24257 192.168.0.127:443 on zone-pair WAN-LAN class class-default due to DROP action found in policy-map with ip ident 25344

 

At this point, I think I may be better deleting everything related and starting from scratch, because I have added so many things (I can list all the class-maps if needed) that I'm completely lost.

Can you please give me a hand?

 

Thanks.

Labels:
0 Helpful
4 Replies 4

Dennis Mink
VIP Alumni
VIP Alumni

‎10-02-2018 05:31 AM

check this document:

 

https://www.cisco.com/c/en/us/support/docs/long-reach-ethernet-lre-digital-subscriber-line-xdsl/asymmetric-digital-subscriber-line-adsl/12905-827spat.html

 

make sure you verify using:  

show ip nat translation
Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

paul driver
VIP
VIP

‎10-02-2018 07:50 AM

Hello

Those logs relates to your ZBFW configuration however it hard to TS what you have actually configured, Is it possible for you to post the full configuration of your rtr


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Ballantin
Level 1
Level 1
In response to paul driver

‎10-02-2018 09:17 AM

I managed to get it to work. I just removed everything NAT, policy and ACL related that re-did everything. The problem now is that Telnet and SSH are also open to the internet!!!

 

Here is my full configuration:

 

 

 

hades#sh run
Building configuration...

Current configuration : 10230 bytes
!
! Last configuration change at 14:17:21 GMT Tue Oct 2 2018 by ballantin
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname hades
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$ZBmxxxxrRVYtNVcA.
enable password 7 121xxxx51E
!
aaa new-model
!
!
aaa authentication login local_access local
!
!
!
!
!
aaa session-id common
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
clock timezone GMT 0 0
!
!
crypto pki trustpoint TP-self-signed-20229xxx84
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-20229xxx84
 revocation-check none
 rsakeypair TP-self-signed-20229xxx84
!
!
crypto pki certificate chain TP-self-signed-2022943784
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 32303232 39343337 3834301E 170D3138 30393330 30313539 
  33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  3E7EFE83 9E238CDC 95A3C3CA C4448BEB 8FBAEC11 A8427EEE 745F036B B10FEBAE 
  B9097788 71372BCC 4B071C8D DD12723F B44BC517 9A6DAC53 6A44450D 2ADFCCDE 
  6A6BABA0 E0B9D8F7 F21B6F8B FB541A
        quit
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.0.0 192.168.0.3
!
ip dhcp pool Pool1
 import all
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1 
 dns-server 192.168.0.1 2xx.xxx.xxx.23 2xx.xxx.xxx.23 
!
!
!
ip domain name ballantin.com
ip name-server 2xx.xxx.xxx.23
ip name-server 2xx.xxx.xxx.23
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
 match ipv4 source address
 match ipv4 destination address
 match application name
 collect interface output
 collect counter bytes
 collect counter packets
 collect timestamp absolute first
 collect timestamp absolute last
!
!
flow monitor application-mon
 cache timeout active 60
 record nbar-appmon
!         
parameter-map type inspect global
 max-incomplete low 18000
 max-incomplete high 20000
 nbar-classify
!
multilink bundle-name authenticated
!
!
cts logging verbose
license udi pid CISCO2951/K9 sn FCZxxxxxQS
!
!
object-group service INTERNAL_UTM_SERVICE 
!
object-group network Others_dst_net 
 any
!
object-group network Others_src_net 
 any
!
object-group service Others_svc 
 ip
!
object-group network Web_dst_net 
 any
!
object-group network Web_src_net 
 any
!
object-group service Web_svc 
 ip
!
object-group network allowhttps_dst_net 
 any
!
object-group network allowhttps_src_net 
 any
!
object-group service allowhttps_svc 
 ip
!
object-group network block-external_dst_net 
 any
!
object-group network block-external_src_net 
 any
!
object-group service block-external_svc 
 ip
!         
object-group network lan-out_dst_net 
 any
!
object-group network lan-out_src_net 
 any
!
object-group service lan-out_svc 
 ip
!
object-group network local_cws_net 
!
object-group network local_lan_subnets 
 192.168.0.0 255.255.255.0
!
object-group network vpn_remote_subnets 
 any
!
username ballantin privilege 15 secret 5 $1$AyY7$Rxxxxxxn07NhQHex.
!
redundancy
!
!
!
!
!
controller VDSL 0/0/0
 operating mode vdsl2
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
 match protocol msnmsgr
 match protocol ymsgr
class-map type inspect match-any Others_app
 match protocol https
 match protocol smtp
 match protocol pop3
 match protocol imap
 match protocol sip
 match protocol ftp
 match protocol dns
 match protocol icmp
class-map type inspect match-all lan-out
 match access-group name lan-out_acl
class-map type inspect match-any allowhttps_app
 match protocol https
class-map type inspect match-any block-external_app
 match protocol telnet
 match protocol secure-telnet
 match protocol dns
class-map type inspect match-any Web_app
 match protocol http
class-map type inspect match-all allowhttps
 match access-group name allowhttps_acl
 match class-map allowhttps_app
class-map type inspect match-all Others
 match class-map Others_app
 match access-group name Others_acl
class-map type inspect match-all Web
 match class-map Web_app
 match access-group name Web_acl
class-map type inspect match-all block-external
  description Block External Access to admin resources
 match access-group name block-external_acl
 match class-map block-external_app
!
policy-map type inspect LAN-WAN-POLICY
 class type inspect lan-out
  inspect 
 class type inspect Web
  inspect 
 class type inspect Others
  inspect 
 class type inspect INTERNAL_DOMAIN_FILTER
  inspect 
 class class-default
  drop log
policy-map type inspect WAN-LAN-POLICY
 class type inspect allowhttps
  inspect 
 class type inspect block-external
  drop log
 class type inspect INTERNAL_DOMAIN_FILTER
  inspect 
 class class-default
  drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
 service-policy type inspect LAN-WAN-POLICY
zone-pair security WAN-LAN source WAN destination LAN
 service-policy type inspect WAN-LAN-POLICY
! 
!
crypto isakmp policy 1
!
!
!         
!
!
bridge irb
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 ip access-group DENIED_WAN_ACCESS in
 ip access-group DENIED_WAN_ACCESS out
 ip nbar protocol-discovery
 ip flow monitor application-mon input
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 zone-member security LAN
 ip tcp adjust-mss 1412
 load-interval 30
 duplex auto
 speed auto
 no mop enabled
 bridge-group 1
!
interface GigabitEthernet0/1
 no ip address
 ip access-group DENIED_WAN_ACCESS in
 ip access-group DENIED_WAN_ACCESS out
 ip nbar protocol-discovery
 ip flow monitor application-mon input
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 zone-member security LAN
 ip tcp adjust-mss 1412
 load-interval 30
 duplex auto
 speed auto
 bridge-group 1
!
interface GigabitEthernet0/2
 no ip address
 ip access-group DENIED_WAN_ACCESS in
 ip access-group DENIED_WAN_ACCESS out
 ip nbar protocol-discovery
 ip flow monitor application-mon input
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 zone-member security LAN
 load-interval 30
 duplex auto
 speed auto
 bridge-group 1
!
interface ATM0/0/0
 no ip address
 shutdown
 no atm ilmi-keepalive
 cdp enable
!
interface Ethernet0/0/0
 no ip address
 ip access-group DENIED_WAN_ACCESS in
 ip access-group DENIED_WAN_ACCESS out
!
interface Ethernet0/0/0.1
 description PrimaryWANDesc_IDNet
 encapsulation dot1Q 101
 ip access-group DENIED_WAN_ACCESS in
 ip access-group DENIED_WAN_ACCESS out
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer1
 description PrimaryWANDesc_IDNet_Ethernet0/0/0.1
 mtu 1492
 ip address 9X.XXX.XXX.XXX 255.255.255.252
 ip access-group DENIED_WAN_ACCESS in
 ip access-group DENIED_WAN_ACCESS out
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 zone-member security WAN
 encapsulation ppp
 ip tcp adjust-mss 1412
 dialer pool 1
 dialer-group 1
 ppp mtu adaptive
 ppp authentication chap callin
 ppp chap hostname 01908263840@idnet
 ppp chap password 7 091C1A514E0611410A
 ppp ipcp dns request
 no cdp enable
!
interface BVI1
 ip address 192.168.0.1 255.255.255.0
 ip access-group DENIED_WAN_ACCESS in
 ip access-group DENIED_WAN_ACCESS out
 ip nbar protocol-discovery
 ip flow monitor application-mon input
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 zone-member security LAN
 load-interval 30
!
router rip
 version 2
 network 192.168.0.0
!
ip forward-protocol nd
!
no ip http server
ip http upload enable path flash:
ip http upload overwrite
ip http authentication local
ip http secure-server
ip http secure-port 1080
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list nat-list interface Dialer1 overload
ip nat inside source static tcp 192.168.0.127 443 interface Dialer1 443
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended DENIED_WAN_ACCESS
 deny   tcp any host 192.168.0.1 eq telnet
 permit ip any any
 deny   tcp any eq telnet any eq telnet
 deny   tcp any any eq telnet
ip access-list extended Others_acl
 permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
 permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended allowhttps_acl
 permit object-group allowhttps_svc object-group allowhttps_src_net object-group allowhttps_dst_net
ip access-list extended block-external_acl
 permit object-group block-external_svc object-group block-external_src_net object-group block-external_dst_net
ip access-list extended lan-out_acl
 permit object-group lan-out_svc object-group lan-out_src_net object-group lan-out_dst_net
ip access-list extended nat-list
 permit ip object-group local_lan_subnets any
 deny   ip any any
!
!
!
snmp-server community public RO
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
line con 0
 login authentication local_access
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 privilege level 15
 password 7 06565xxxxxxx541C39
 login authentication local_access
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
0 Helpful

Ballantin
Level 1
Level 1
In response to Ballantin

‎10-03-2018 12:49 AM

So I fixed the issue myself thanks to some other post ( https://community.cisco.com/t5/switching/how-to-close-port/td-p/2339250 ).

 

I just had to use the sequence numbers in my access-list. So now it is

 

ip access-list extended DENIED_WAN_ACCESS
60 deny tcp any any eq telnet
61 deny tcp any any eq 22
70 permit ip any any

 

I don't know why, but when I do the "sh run" command the sequence numbers does not show, but the entries are in order.

0 Helpful
Customers Also Viewed These Support Documents