0 Replies Latest reply: Sep 15, 2010 7:15 AM by farroar RSS

    ZBFW and port redirection/forwarding

    farroar

      I am having trouble with Zone Based Firewalls. I don't think the issue is that they are difficult to understand, it is just that they are so big. I have been using SDM to creat a basic ZBFW and then deconstructing that to understand it better. I am encountering two problems:

       

      1.If I use the wizard and create a ZBFW and higher than the low setting, no computer can browse the internet.. Shuts down completly. If I use the low setting, it works just fine. I have no idea why this would be happening.

       

      2. I need to understand how to do port forwarding after the implementation of a ZBFW. I have noticed that if I do all my port forwarding before I implement the FW with SDM then the ports work fine. But when I try to emulate what SDM did (or I thought it did) to create the openings, I can't get it to work.

       

      I am using RDP as a test application to run though the firewall from the outside to the inside. Below is the code I altered from the SDM defined basic firewall and attempted to add the RDP application to be forwarded to the PC at 192.168.10.2, items in bold are what I added, what is preventing this from working?:

       

      Thanks!

       

       

      ip port-map user-RDP port tcp 3389
      ip port-map user-RDP port udp 3389

      !
      multilink bundle-name authenticated
      !

      !
      !
      !
      archive
      log config
        hidekeys
      !
      !
      !
      class-map type inspect match-any SDM_HTTPS
      match access-group name SDM_HTTPS
      class-map type inspect match-any SDM_SSH
      match access-group name SDM_SSH
      class-map type inspect match-any SDM_SHELL
      match access-group name SDM_SHELL
      class-map type inspect match-any sdm-cls-access
      match class-map SDM_HTTPS
      match class-map SDM_SSH
      match class-map SDM_SHELL
      class-map type inspect match-any sdm-cls-insp-traffic
      match protocol cuseeme
      match protocol dns
      match protocol ftp
      match protocol h323
      match protocol https
      match protocol icmp
      match protocol imap
      match protocol pop3
      match protocol netshow
      match protocol shell
      match protocol realmedia
      match protocol rtsp
      match protocol smtp extended
      match protocol sql-net
      match protocol streamworks
      match protocol tftp
      match protocol vdolive
      match protocol tcp
      match protocol udp
      class-map type inspect match-all sdm-insp-traffic
      match class-map sdm-cls-insp-traffic
      class-map type inspect match-any SDM-Voice-permit
      match protocol h323
      match protocol skinny
      match protocol sip
      class-map type inspect match-any sdm-cls-icmp-access
      match protocol icmp
      match protocol tcp
      match protocol udp
      class-map type inspect match-all RDP
      match access-group name RDP
      match protocol user-RDP

      class-map type inspect match-all sdm-access
      match class-map sdm-cls-access
      match access-group 101
      class-map type inspect match-all sdm-icmp-access
      match class-map sdm-cls-icmp-access
      class-map type inspect match-all sdm-invalid-src
      match access-group 100
      class-map type inspect match-all sdm-protocol-http
      match protocol http
      !
      !
      policy-map type inspect sdm-permit-icmpreply
      class type inspect sdm-icmp-access
        inspect
      class class-default
        pass
      policy-map type inspect sdm-inspect
      class type inspect sdm-invalid-src
        drop log
      class type inspect sdm-insp-traffic
        inspect
      class type inspect sdm-protocol-http
        inspect
      class type inspect SDM-Voice-permit
        inspect
      class class-default
        pass
      policy-map type inspect sdm-permit
      class type inspect sdm-access
        inspect
      class class-default
      policy-map type inspect RDP
      class type inspect RDP
        inspect
      class class-default
        pass

      !
      zone security out-zone
      zone security in-zone
      zone-pair security sdm-zp-self-out source self destination out-zone
      service-policy type inspect sdm-permit-icmpreply
      zone-pair security sdm-zp-out-self source out-zone destination self
      service-policy type inspect sdm-permit
      zone-pair security sdm-zp-in-out source in-zone destination out-zone
      service-policy type inspect sdm-inspect
      !
      !
      !
      interface FastEthernet0
      !
      interface FastEthernet1
      !
      interface FastEthernet2
      !
      interface FastEthernet3
      !
      interface FastEthernet4
      description $FW_OUTSIDE$
      ip address dhcp
      ip nat outside
      ip virtual-reassembly
      zone-member security out-zone
      duplex auto
      speed auto
      !
      interface Vlan1
      description $FW_INSIDE$
      ip address 192.168.10.1 255.255.255.0
      ip nat inside
      ip virtual-reassembly
      zone-member security in-zone
      !
      ip forward-protocol nd
      !
      !
      ip http server
      ip http authentication local
      ip http secure-server
      ip nat inside source list NAT interface FastEthernet4 overload
      ip nat inside source static tcp 192.168.10.2 3389 interface FastEthernet4 3389
      ip nat inside source static udp 192.168.10.2 3389 interface FastEthernet4 3389

      !
      ip access-list standard NAT
      permit 192.168.10.0 0.0.0.255
      ip access-list standard RDP
      permit 192.168.10.2

      !
      ip access-list extended SDM_HTTPS
      remark SDM_ACL Category=1
      permit tcp any any eq 443
      ip access-list extended SDM_SHELL
      remark SDM_ACL Category=1
      permit tcp any any eq cmd
      ip access-list extended SDM_SSH
      remark SDM_ACL Category=1
      permit tcp any any eq 22
      !
      access-list 100 remark SDM_ACL Category=128
      access-list 100 permit ip host 255.255.255.255 any
      access-list 100 permit ip 127.0.0.0 0.255.255.255 any
      access-list 101 remark SDM_ACL Category=128
      access-list 101 permit ip any any
      !