Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CCP - Advanced Firewall Creating Custom Ports Inbound Traffic

Hey folks, i desperatly need some assistance with my ISR 800 series router zone based Firewall.

The router is currently setup and routing traffic to the internet successfully.

I would like to setup a custom inbound port(TCP-3389) accessible from the internet.

Port destination termination will be an internal PC at say 192.168.1.50.

How can i accomplish this using CPP or console.

I have already defined the port to application mapping using CPP. however the firewall is recording the following syslog message:

%FW-6-DROP_PKT: Dropping udp session 24.76.164.168:13925 192.168.1.50:3389  on zone-pair ccp-zp-out-zone-To-in-zone class class-default due to DROP action  found in policy-map with ip ident 0

Any assistance is greatly appreciated

If full config is required  to assist please let me know.

Everyone's tags (7)
1 ACCEPTED SOLUTION

Accepted Solutions
Purple

CCP - Advanced Firewall Creating Custom Ports Inbound Traffic

Hi,

So you want to port forward TCP 3389 to 192.168.10.50  ?

If so then first you must have a static PAT statement:

ip nat inside source static tcp 192.168.10.50 3389 interface Fastethernet4 3389

Then you'll have to inspect this traffic when entering your firewall:

class-map type inspect user-remote-app-tcp

match protocol user-remote-app-tcp

no policy-map type-inspect ccp-pol-outToIn

policy-map type-inspect ccp-pol-outToIn

class type inspect user-remote-app-tcp

inspect

class type inspect CCP_PPTP

pass

class type inspect ccp-cls-ccp-pol-outToIn-1

  pass log

class class-default

  drop log

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
6 REPLIES
Hall of Fame Super Silver

CCP - Advanced Firewall Creating Custom Ports Inbound Traffic

When using CCP generalyy you would follow the proceudre starting on page 485 here:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_configuration_professional/v2_7/olh/ccp.pdf

If that didn't work for you, please share your class-maps policy-maps and zone-pairs sections so we can have a look at what is failing.

We look for:

1. The traffic is classified in a class-map

2. The policy-map passes the classified traffic

3. The zone-pair applies that policy-map

New Member

Re: CCP - Advanced Firewall Creating Custom Ports Inbound Traffi

Thanks for your response.

Pardon my ignorance! how can i export this info from the CCP interface to share? In lue of that procedure, i have provided the full config below.

Building configuration...

Current configuration : 22564 bytes

!

! Last configuration change at 18:05:26 UTC Fri Aug 23 2013 by sshs

! NVRAM config last updated at 18:05:26 UTC Fri Aug 23 2013 by sshs

! NVRAM config last updated at 18:05:26 UTC Fri Aug 23 2013 by sshs

version 15.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname 881W-SSHS-R1

!

boot-start-marker

boot system flash:c880data-universalk9-mz.153-1.T.bin

boot-end-marker

!

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 8192 warnings

enable secret 4 tFiAfenrBMx7/HkdLMWd3Yp19y9eWwFQw9w0LSu/IRk

enable password 7 09485B1F180B03175A

!

aaa new-model

!

!

aaa authentication login sslvpn local

!

!

!

!

!

aaa session-id common

memory-size iomem 10

clock timezone EST -5 0

clock summer-time UTC recurring

service-module wlan-ap 0 bootimage autonomous

!

crypto pki server 881-sshs-r1ca

database archive pem password 7 121D1001130518017B

issuer-name O=ssh solutions, OU=sshs support, CN=881w-sshs-r1, C=CA, ST=ON

lifetime certificate 1095

lifetime ca-certificate 1825

!

crypto pki trustpoint sshs-trustpoint

enrollment selfsigned

serial-number

subject-name CN=sshs-certificate

revocation-check crl

rsakeypair sshs-rsa-keys

!

crypto pki trustpoint 881-sshs-r1ca

revocation-check crl

rsakeypair 881-sshs-r1ca

!

!

crypto pki certificate chain sshs-trustpoint

certificate self-signed 01

  308201DC 30820186 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  4C311930 17060355 04031310 73736873 2D636572 74696669 63617465 312F3012

  06035504 05130B46 54583133 32353830 34593019 06092A86 4886F70D 01090216

  0C383831 572D5353 48532D52 31301E17 0D313330 34313332 31323334 315A170D

  32303031 30313030 30303030 5A304C31 19301706 03550403 13107373 68732D63

  65727469 66696361 7465312F 30120603 55040513 0B465458 31333235 38303459

  30190609 2A864886 F70D0109 02160C38 3831572D 53534853 2D523130 5C300D06

  092A8648 86F70D01 01010500 034B0030 48024100 C14B55D9 4B2D4124 D711B49E

  BBCA3A9D 4EE59818 3922DF07 8D7A3901 BE32D2C5 108FD57C BEA8BEAE F1CFEDF3

  6D8EF395 DD4D6880 846C9995 EB25B50A DC8E2CC7 02030100 01A35330 51300F06

  03551D13 0101FF04 05300301 01FF301F 0603551D 23041830 16801494 EBC22041

  8AEC4A0C E3D4399D AD736724 1241E730 1D060355 1D0E0416 041494EB C220418A

  EC4A0CE3 D4399DAD 73672412 41E7300D 06092A86 4886F70D 01010505 00034100

  BCB0E36C 74CB592B C7404CA2 3028AE4A EEBC2FF9 2195BD68 E9BC5D76 00F1C26F

  50837DEC 99E79BF5 E5C6C634 BE507705 83F6004B 1B4971E6 EAFBBB0D B3677087

      quit

crypto pki certificate chain 881-sshs-r1ca

certificate ca 01

  30820299 30820202 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  60310B30 09060355 04081302 4F4E310B 30090603 55040613 02434131 15301306

  03550403 130C3838 31772D73 7368732D 72313115 30130603 55040B13 0C737368

  73207375 70706F72 74311630 14060355 040A130D 73736820 736F6C75 74696F6E

  73301E17 0D313330 34313931 37313331 315A170D 31383034 31383137 31333131

  5A306031 0B300906 03550408 13024F4E 310B3009 06035504 06130243 41311530

  13060355 0403130C 38383177 2D737368 732D7231 31153013 06035504 0B130C73

  73687320 73757070 6F727431 16301406 0355040A 130D7373 6820736F 6C757469

  6F6E7330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  BA7150D7 E4D5E06B 522A03C4 DBE95F4B C74A4BF5 D715814A 16B1D685 4873C6EB

  2ACF8A35 4E4B5234 90B0DE07 738D705E 70C4CEDE D10271CD 658B3939 788859C7

  B1730801 22DD5840 9EC1FC50 0AD4D2DF C5281E5F 891550B3 873B6305 02287605

  80274704 700D7512 4D780096 E21A2DEE 18F76109 F1D6189B 56561E12 52E5A74B

  02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D

  0F0101FF 04040302 0186301F 0603551D 23041830 168014CD 462ED740 1B5B89EC

  8510BAB3 E91629AE 6C14F030 1D060355 1D0E0416 0414CD46 2ED7401B 5B89EC85

  10BAB3E9 1629AE6C 14F0300D 06092A86 4886F70D 01010405 00038181 000EE548

  B5692815 E61D2086 E7B53CD4 0C077D9D 479F8F6A 9276356D FD18FBD7 FDFCE15A

  0224A686 F2154525 6F56CCD8 555E47EA 80C5223F A999260D 53E5AC53 A6AE6149

  2B28EC50 67AA35E7 3B32011B E82D0888 5D3EDCC3 28720D49 DC01ADBB 1B2B44AF

  CFD12481 7F1D9720 4A66D59A 8A3B7BB8 287F064C 41D788DD 0552FD91 F8

      quit

no ip source-route

!

!

!

!

ip port-map user-remote-app-tcp port tcp 3389 list 2 description remote-app

!

ip dhcp excluded-address 192.168.10.1 192.168.10.200

ip dhcp excluded-address 192.168.20.1 192.168.20.200

ip dhcp excluded-address 192.168.30.1 192.168.30.200

!

ip dhcp pool SSHS-LAN

import all

network 192.168.10.0 255.255.255.0

dns-server 192.168.10.1

default-router 192.168.10.1

domain-name sshs.local

lease 2

!

ip dhcp pool VLAN20

import all

network 192.168.20.0 255.255.255.0

dns-server 192.168.10.1

default-router 192.168.20.1

domain-name sshs.local

lease 2

!

ip dhcp pool VLAN30

import all

network 192.168.30.0 255.255.255.0

dns-server 192.168.10.1

default-router 192.168.30.1

domain-name sshs.local

lease 2

!

!

!

no ip bootp server

ip domain name sshs.local

ip host 881W-SSHS-R1 192.168.10.1

ip name-server 208.122.23.22

ip name-server 208.122.23.23

ip cef

no ipv6 cef

ipv6 multicast rpf use-bgp

!

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

!

multilink bundle-name authenticated

license udi pid CISCO881W-GN-A-K9 sn FTX1325804Y

license boot module c880-data level advipservices

!

!

username sshs privilege 15 password 7 050F131920425A0C48

username sean secret 4 HKl1ouWejids3opAKgGPRpf0NznjhP7L/v.REW79pKc

!

!

!

!

!

ip tcp synwait-time 10

no ip ftp passive

!

class-map type inspect imap match-any ccp-app-imap

match invalid-command

class-map match-any AutoQoS-Voice-Fa4

match protocol rtp audio

class-map type inspect match-all CCP_SSLVPN

match access-group 199

class-map match-any AutoQoS-Scavenger-Fa4

match protocol bittorrent

match protocol edonkey

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any remote-app

match protocol Other

class-map type inspect match-all SDM_RIP_PT

match protocol router

class-map type inspect match-any bootps

match protocol bootps

class-map type inspect match-any SDM_WEBVPN

match access-group name SDM_WEBVPN

class-map type inspect match-any SDM_HTTP

match access-group name SDM_HTTP

class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices

match service any

class-map type inspect msnmsgr match-any ccp-app-msn-otherservices

match service any

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect aol match-any ccp-app-aol-otherservices

match service any

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map match-any AutoQoS-VoIP-Remark

match ip dscp ef

match ip dscp cs3

match ip dscp af31

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect pop3 match-any ccp-app-pop3

match invalid-command

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect match-any bootpc_bootps

match protocol bootpc

match protocol bootps

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect msnmsgr match-any ccp-app-msn

match service text-chat

class-map type inspect ymsgr match-any ccp-app-yahoo

match service text-chat

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect http match-any ccp-app-httpmethods

match request method bcopy

match request method bdelete

match request method bmove

match request method bpropfind

match request method bproppatch

match request method connect

match request method copy

match request method delete

match request method edit

match request method getattribute

match request method getattributenames

match request method getproperties

match request method index

match request method lock

match request method mkcol

match request method mkdir

match request method move

match request method notify

match request method options

match request method poll

match request method propfind

match request method proppatch

match request method put

match request method revadd

match request method revlabel

match request method revlog

match request method revnum

match request method save

match request method search

match request method setattribute

match request method startrev

match request method stoprev

match request method subscribe

match request method trace

match request method unedit

match request method unlock

match request method unsubscribe

class-map match-any AutoQoS-VoIP-Control-UnTrust

match access-group name AutoQoS-VoIP-Control

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect http match-any ccp-http-blockparam

match request port-misuse im

match request port-misuse p2p

match req-resp protocol-violation

class-map type inspect aol match-any ccp-app-aol

match service text-chat

class-map type inspect match-all ccp-protocol-imap

match protocol imap

class-map match-any AutoQoS-VoIP-RTP-UnTrust

match protocol rtp audio

match access-group name AutoQoS-VoIP-RTCP

class-map type inspect http match-any ccp-http-allowparam

match request port-misuse tunneling

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-all SDM_WEBVPN_TRAFFIC

match class-map SDM_WEBVPN

match access-group 102

class-map type inspect match-all ccp-cls-ccp-permit-icmpreply-1

match class-map bootps

match access-group name boops-DHCP

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-all ccp-cls-ccp-permit-1

match class-map bootpc_bootps

match access-group name DHCP-Request

class-map type inspect match-any SDM_CA_SERVER

match class-map SDM_HTTPS

match class-map SDM_HTTP

class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1

match class-map uremote-app

match access-group name remote-app

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 101

!

policy-map type inspect pop3 ccp-action-pop3

class type inspect pop3 ccp-app-pop3

  log

policy-map type inspect im ccp-action-app-im

class type inspect aol ccp-app-aol

  log

  allow

class type inspect msnmsgr ccp-app-msn

  log

  allow

class type inspect ymsgr ccp-app-yahoo

  log

  allow

class type inspect aol ccp-app-aol-otherservices

  log

class type inspect msnmsgr ccp-app-msn-otherservices

  log

class type inspect ymsgr ccp-app-yahoo-otherservices

  log

policy-map type inspect ccp-pol-outToIn

class type inspect CCP_PPTP

  pass

class type inspect ccp-cls-ccp-pol-outToIn-1

  pass log

class class-default

  drop log

policy-map type inspect imap ccp-action-imap

class type inspect imap ccp-app-imap

  log

policy-map AutoQoS-Policy-Fa4

class AutoQoS-Voice-Fa4

  priority percent 1

  set dscp ef

class AutoQoS-Scavenger-Fa4

  bandwidth remaining percent 1

  set dscp cs1

class class-default

  fair-queue

policy-map AutoQoS-Policy-UnTrust

class AutoQoS-VoIP-RTP-UnTrust

  priority percent 70

  set dscp ef

class AutoQoS-VoIP-Control-UnTrust

  bandwidth percent 5

  set dscp af31

class AutoQoS-VoIP-Remark

  set dscp default

class class-default

  fair-queue

policy-map type inspect http ccp-action-app-http

class type inspect http ccp-http-blockparam

  log

class type inspect http ccp-app-httpmethods

  log

class type inspect http ccp-http-allowparam

  log

  allow

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

  service-policy http ccp-action-app-http

class type inspect ccp-protocol-imap

  inspect

  service-policy imap ccp-action-imap

class type inspect ccp-protocol-pop3

  inspect

  service-policy pop3 ccp-action-pop3

class type inspect ccp-protocol-im

  inspect

  service-policy im ccp-action-app-im

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-sslvpn-pol

class type inspect CCP_SSLVPN

  pass

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_CA_SERVER

  inspect

class type inspect ccp-cls-ccp-permit-1

  pass log

class type inspect SDM_WEBVPN_TRAFFIC

  inspect

class type inspect sdm-access

  inspect

class type inspect SDM_RIP_PT

  pass

class class-default

  drop

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-cls-ccp-permit-icmpreply-1

  pass log

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

!

zone security out-zone

zone security in-zone

zone security sslvpn-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone

service-policy type inspect ccp-pol-outToIn

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone

service-policy type inspect ccp-sslvpn-pol

csdb tcp synwait-time 30

csdb tcp idle-time 3600

csdb tcp finwait-time 5

csdb tcp reassembly max-memory 1024

csdb tcp reassembly max-queue-length 16

csdb udp idle-time 30

csdb icmp idle-time 10

csdb session max-session 65535

!

!

!

!

!

!

!

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0

description LAN

switchport mode trunk

no ip address

!

interface FastEthernet1

description Not in Use

no ip address

!

interface FastEthernet2

description Trunk to 861W-SSHS-R1

switchport mode trunk

no ip address

auto discovery qos

!

interface FastEthernet3

description VoIP

switchport access vlan 30

no ip address

service-policy output AutoQoS-Policy-UnTrust

!

interface FastEthernet4

description WAN$ETH-WAN$$FW_OUTSIDE$

ip ddns update hostname xxx.xxxx.org

ip address dhcp client-id FastEthernet4

no ip redirects

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

auto qos

service-policy output AutoQoS-Policy-Fa4

!

interface Virtual-Template1

ip unnumbered Vlan1

no ip redirects

no ip proxy-arp

ip flow ingress

zone-member security sslvpn-zone

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

no ip redirects

no ip proxy-arp

ip flow ingress

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

no ip address

!

interface Vlan1

description SSHS Default LAN$FW_INSIDE$

ip address 192.168.10.1 255.255.255.0

no ip redirects

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface Vlan20

description $FW_INSIDE$

ip address 192.168.20.1 255.255.255.0

no ip redirects

no ip proxy-arp

ip flow ingress

zone-member security in-zone

!

interface Vlan30

description $FW_INSIDE$

ip address 192.168.30.1 255.255.255.0

no ip redirects

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface Dialer0

description PPPoA Dialer for Int ATM0$FW_INSIDE$

ip address negotiated

ip access-group aclInternetInbound in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security in-zone

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname SSHS-CHAP

ppp chap password 7 045F1E100E2F584B

ppp ipcp dns request accept

ppp ipcp route default

ppp ipcp address accept

!

router rip

network 192.168.10.0

network 192.168.20.0

network 192.168.30.0

!

ip local pool sslvpn-pool 192.168.10.190 192.168.10.199

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

!

ip dns server

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source list 199 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp

!

ip access-list extended AutoQoS-VoIP-Control

permit tcp any any eq 1720

permit tcp any any range 11000 11999

permit udp any any eq 2427

permit tcp any any eq 2428

permit tcp any any range 2000 2002

permit udp any any eq 1719

permit udp any any eq 5060

ip access-list extended AutoQoS-VoIP-RTCP

permit udp any any range 16384 32767

ip access-list extended DHCP-Request

remark CCP_ACL Category=128

permit ip any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any log

ip access-list extended SDM_HTTP

remark CCP_ACL Category=1

permit tcp any any eq www log

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=1

permit tcp any any eq 443 log

ip access-list extended SDM_SHELL

remark CCP_ACL Category=1

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark CCP_ACL Category=1

permit tcp any any eq 22 log

ip access-list extended SDM_WEBVPN

remark CCP_ACL Category=1

permit tcp any any eq 443 log

ip access-list extended remote-app

remark CCP_ACL Category=128

permit ip any host 192.168.10.50

ip access-list extended boops-DHCP

remark CCP_ACL Category=128

permit ip any any

!

logging host 192.168.10.50

!

access-list 1 permit 0.0.0.0 255.255.255.0

access-list 2 remark CCP_ACL Category=1

access-list 2 permit 192.168.10.50

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 199 permit ip any any

!

!

!

control-plane

!

rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS

!

banner login ^C No Unauthorize access, all unauthorize users will be terminated at WILL! Enter user name and password to continue

^C

banner motd ^C This router is designated as the primary router in the SSHS LAN ^C

!

line con 0

password 7 06021A374D401D1C54

logging synchronous

no modem enable

transport output telnet

line aux 0

password 7 06021A374D401D1C54

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

privilege level 15

password 7 130102040A02102F7A

length 0

transport input telnet ssh

transport output telnet ssh

!

scheduler interval 500

ntp master

ntp update-calendar

ntp server nist1-ny.ustiming.org prefer

!

!

webvpn gateway sshs-WebVPN-Gateway

ip interface FastEthernet4 port 443

ssl encryption rc4-md5

ssl trustpoint sshs-trustpoint

inservice

!

webvpn context sshs-WebVPN

secondary-color white

title-color #669999

text-color black

!

acl "ssl-acl"

   permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0

aaa authentication list sslvpn

gateway sshs-WebVPN-Gateway

max-users 4

!

ssl authenticate verify all

!

url-list "rewrite"

inservice

!

policy group sshs-webvpnpolicy

   functions svc-enabled

   filter tunnel ssl-acl

   svc address-pool "webvpnpool" netmask 255.255.255.0

   svc rekey method new-tunnel

   svc split include 192.168.0.0 255.255.255.0

default-group-policy sshs-webvpnpolicy

!

end

Purple

CCP - Advanced Firewall Creating Custom Ports Inbound Traffic

Hi,

So you want to port forward TCP 3389 to 192.168.10.50  ?

If so then first you must have a static PAT statement:

ip nat inside source static tcp 192.168.10.50 3389 interface Fastethernet4 3389

Then you'll have to inspect this traffic when entering your firewall:

class-map type inspect user-remote-app-tcp

match protocol user-remote-app-tcp

no policy-map type-inspect ccp-pol-outToIn

policy-map type-inspect ccp-pol-outToIn

class type inspect user-remote-app-tcp

inspect

class type inspect CCP_PPTP

pass

class type inspect ccp-cls-ccp-pol-outToIn-1

  pass log

class class-default

  drop log

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Hall of Fame Super Silver

Re: CCP - Advanced Firewall Creating Custom Ports Inbound Traffi

Cadet's recommendation looks on the mark. I recommend following it.

BTW, you cannot easily share from CCP directly - the configuraiton you posted does the job.

Regards,

- Marvin

New Member

Re: CCP - Advanced Firewall Creating Custom Ports Inbound Traffi

Appreciate the help Marvin. I will try the recommendation provided earlier and report back.

Thanks

New Member

Re: CCP - Advanced Firewall Creating Custom Ports Inbound Traffi

Thanks Cadet for your assistance, i will test the change and report back.

1022
Views
0
Helpful
6
Replies
CreatePlease login to create content