Skip navigation
Cisco Learning Home > CCNA Security Study Group > Discussions
2867 Views 0 Replies Latest reply: Sep 15, 2010 7:15 AM by farroar RSS

Currently Being Moderated

ZBFW and port redirection/forwarding

Sep 15, 2010 7:15 AM

farroar 235 posts since
Oct 21, 2009

I am having trouble with Zone Based Firewalls. I don't think the issue is that they are difficult to understand, it is just that they are so big. I have been using SDM to creat a basic ZBFW and then deconstructing that to understand it better. I am encountering two problems:

 

1.If I use the wizard and create a ZBFW and higher than the low setting, no computer can browse the internet.. Shuts down completly. If I use the low setting, it works just fine. I have no idea why this would be happening.

 

2. I need to understand how to do port forwarding after the implementation of a ZBFW. I have noticed that if I do all my port forwarding before I implement the FW with SDM then the ports work fine. But when I try to emulate what SDM did (or I thought it did) to create the openings, I can't get it to work.

 

I am using RDP as a test application to run though the firewall from the outside to the inside. Below is the code I altered from the SDM defined basic firewall and attempted to add the RDP application to be forwarded to the PC at 192.168.10.2, items in bold are what I added, what is preventing this from working?:

 

Thanks!

 

 

ip port-map user-RDP port tcp 3389
ip port-map user-RDP port udp 3389

!
multilink bundle-name authenticated
!

!
!
!
archive
log config
  hidekeys
!
!
!
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all RDP
match access-group name RDP
match protocol user-RDP

class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-insp-traffic
  inspect
class type inspect sdm-protocol-http
  inspect
class type inspect SDM-Voice-permit
  inspect
class class-default
  pass
policy-map type inspect sdm-permit
class type inspect sdm-access
  inspect
class class-default
policy-map type inspect RDP
class type inspect RDP
  inspect
class class-default
  pass

!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list NAT interface FastEthernet4 overload
ip nat inside source static tcp 192.168.10.2 3389 interface FastEthernet4 3389
ip nat inside source static udp 192.168.10.2 3389 interface FastEthernet4 3389

!
ip access-list standard NAT
permit 192.168.10.0 0.0.0.255
ip access-list standard RDP
permit 192.168.10.2

!
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
!
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
!

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)