cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9069
Views
5
Helpful
5
Replies

Port Forwarding In Zone Based Firewall

markieparkie
Level 1
Level 1

Hi all,

I have a problem with getting port forward to work. Does this config look right?

Basically I want to forward all traffic from ports UDP 88 to internal 192.168.10.210, TCP & UDP 3074 also to internal 192.168.10.210

Also port TCP & UDP 32400 to internal 192.168.10.6

Also another question is that from a port scan from a web service somewhere checking a port is forwarding correctly on the router; will the scan fail as the traffic has first goto originate and punch a hole in the firewall from my internal network or can a port scan for a particular port (32400) be allowed through straight to my internal server with the traffic not originating from the internal network.

----------------------------------------------------------------------------------

class-map type inspect match-any TCP-UDP
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any FIREWALL_EXCEPTIONS_CLASS
match access-group name FIREWALL_EXCEPTIONS_ACL
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access


policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect FIREWALL_EXCEPTIONS_POLICY
class type inspect FIREWALL_EXCEPTIONS_CLASS
  pass
class class-default
  drop
policy-map type inspect ccp-inspect
class type inspect TCP-UDP
  inspect
class class-default
  drop
policy-map type inspect ccp-permit
class class-default
  drop


zone security in-zone
zone security out-zone
zone security private-in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-private-in-out source private-in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-private-in source out-zone destination private-in-zone
service-policy type inspect FIREWALL_EXCEPTIONS_POLICY


ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.10.210 88 interface Dialer0 88
ip nat inside source static udp 192.168.10.210 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.10.210 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.10.6 32400 interface Dialer0 32400
ip nat inside source static udp 192.168.10.6 32400 interface Dialer0 32400
!
ip access-list extended FIREWALL_EXCEPTIONS_ACL
permit udp any host 192.168.10.210 eq 88
permit udp any host 192.168.10.210 eq 3074
permit tcp any host 192.168.10.210 eq 3074
permit tcp any host 192.168.10.6 eq 32400
permit tcp any eq 32400 any
permit udp any host 192.168.10.6 eq 32400
permit udp any eq 32400 any

1 Accepted Solution

Accepted Solutions

Hello Marcus,

So some mistakes here,

After briefly checking the configuration I determined traffic will flow from the Out-zone to the Private zone.

Policy from Private to Out

policy-map type inspect ccp-inspect

class type inspect TCP-UDP

  inspect

class class-default

  drop

Policy from Out to Private

policy-map type inspect FIREWALL_EXCEPTIONS_POLICY

class type inspect FIREWALL_EXCEPTIONS_CLASS

  pass

class class-default

  drop

With that confiuration this will never work as you are inspecting traffic on one way and on the other just let it go through with no stateful checks at all.

To resolve it 

ip access-list Extended Julio_Rocks

permit udp any host 192.168.10.210 eq 88

permit udp any host 192.168.10.210 eq 3074

permit tcp any host 192.168.10.210 eq 3074

permit tcp any host 192.168.10.6 eq 32400

permit udp any host 192.168.10.6 eq 32400

class-map  type inspect Julio_Rocks

match access-group name Julio_Rocks

policy-map type inspect FIREWALL_EXCEPTIONS_POLICY

no  class FIREWALL_EXCEPTIONS_CLASS

class Julio_Rocks

inspect

Looking for a Network engineer, contact me directly at  julio17carvajal@hotmail.com


I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

5 Replies 5

jumora
Level 7
Level 7

Please post interface configuration, meaning get me a show run

Value our effort and rate the assistance!

Sorry for the delay, but here is a running config.. Thanks.

Current configuration : 6877 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

clock timezone London 0

clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00

!

dot11 syslog

ip source-route

!

!

!

ip dhcp pool HOME

   import all

   network 192.168.20.0 255.255.255.0

   default-router 192.168.20.254

!

!

ip cef

ip domain name home.local

no ipv6 cef

!

multilink bundle-name authenticated

!

!

vtp mode client

!

!

!

archive

log config

  hidekeys

!

!

no ip ftp passive

!

class-map type inspect match-any TCP-UDP

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any FIREWALL_EXCEPTIONS_CLASS

match access-group name FIREWALL_EXCEPTIONS_ACL

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect FIREWALL_EXCEPTIONS_POLICY

class type inspect FIREWALL_EXCEPTIONS_CLASS

  pass

class class-default

  drop

policy-map type inspect ccp-inspect

class type inspect TCP-UDP

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class class-default

  drop

!

zone security in-zone

zone security out-zone

zone security private-in-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-private-in-out source private-in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-private-in source out-zone destination private-in-zone

service-policy type inspect FIREWALL_EXCEPTIONS_POLICY

!

!

!

interface ATM0

no ip address

no ip redirects

no ip proxy-arp

no atm ilmi-keepalive

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface ATM0.1 point-to-point

description WAN via ADSL

pvc 0/35

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

description LINK TO SWITCH

switchport mode trunk

!

interface FastEthernet1

switchport mode trunk

shutdown

!

interface FastEthernet2

shutdown

!

interface FastEthernet3

shutdown

!

interface Vlan1

description MANAGEMENT

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security private-in-zone

ip tcp adjust-mss 1412

!

interface Vlan10

description HOME_PRIVATE

ip address 192.168.10.254 255.255.255.0

ip helper-address 192.168.10.251

ip nat inside

ip virtual-reassembly

zone-member security private-in-zone

ip tcp adjust-mss 1412

!

interface Vlan20

description HOME_WORK

ip address 192.168.20.254 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1412

!

interface Vlan30

description HOME_PUBLIC

ip address 192.168.30.254 255.255.255.0

ip helper-address 192.168.10.251

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1412

!

interface Dialer0

description ADSL Dialup

ip address negotiated

no ip redirects

ip mtu 1452

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname

ppp chap password

ppp ipcp dns request

ppp ipcp address accept

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

no ip http server

ip http secure-server

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static udp 192.168.10.210 88 interface Dialer0 88

ip nat inside source static udp 192.168.10.210 3074 interface Dialer0 3074

ip nat inside source static tcp 192.168.10.210 3074 interface Dialer0 3074

ip nat inside source static tcp 192.168.10.6 32400 interface Dialer0 32400

ip nat inside source static udp 192.168.10.6 32400 interface Dialer0 32400

!

ip access-list extended FIREWALL_EXCEPTIONS_ACL

permit udp any host 192.168.10.210 eq 88

permit udp any host 192.168.10.210 eq 3074

permit tcp any host 192.168.10.210 eq 3074

permit tcp any host 192.168.10.6 eq 32400

permit tcp any eq 32400 any

permit udp any host 192.168.10.6 eq 32400

permit udp any eq 32400 any

!

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 192.168.20.0 0.0.0.255

access-list 1 permit 192.168.30.0 0.0.0.255

!

!

!

!

snmp-server community

snmp-server community

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

transport input ssh

!

scheduler max-task-time 5000

end

Hello Marcus,

So some mistakes here,

After briefly checking the configuration I determined traffic will flow from the Out-zone to the Private zone.

Policy from Private to Out

policy-map type inspect ccp-inspect

class type inspect TCP-UDP

  inspect

class class-default

  drop

Policy from Out to Private

policy-map type inspect FIREWALL_EXCEPTIONS_POLICY

class type inspect FIREWALL_EXCEPTIONS_CLASS

  pass

class class-default

  drop

With that confiuration this will never work as you are inspecting traffic on one way and on the other just let it go through with no stateful checks at all.

To resolve it 

ip access-list Extended Julio_Rocks

permit udp any host 192.168.10.210 eq 88

permit udp any host 192.168.10.210 eq 3074

permit tcp any host 192.168.10.210 eq 3074

permit tcp any host 192.168.10.6 eq 32400

permit udp any host 192.168.10.6 eq 32400

class-map  type inspect Julio_Rocks

match access-group name Julio_Rocks

policy-map type inspect FIREWALL_EXCEPTIONS_POLICY

no  class FIREWALL_EXCEPTIONS_CLASS

class Julio_Rocks

inspect

Looking for a Network engineer, contact me directly at  julio17carvajal@hotmail.com


I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Nice one on fixing the problem.

Still cant see why traffic has to be treated the same way on out and in, thought if the inspect is set to allow the traffic in, then permitting without inspect on the way out just seems to make sense if the traffic is allowed both ways things would work.

Why does it have to be the same?

On another note; have you had any experience with VPN’s and ZBW? I have a config where there is a tunnel created and traffic sent out from the router seems fine (full bandwidth 70% CPU) yet on traffic coming in, the router hits about 80% usage and the speed is nowhere near when its capable of.

Bit stumped on this.. Does the VPN actually go to the router itself, thus using the outzone to self policy?

Thanks,

Marcus.

Hello,

So you are inspecting traffic from Out-To-In

  • Traffic reaches outside Interface, its inspectioned and allowed trought (While added to the stateful table of the FW so the reply of the client is allowed).SYN
  • Reply from the client comes and it's passed (No information is saved into the Firewall table as we are just passing the traffic and not inspectioning). SYN-ACK
  • Traffic comes back for the server and reaches the Firewall but then this one says" OK I see the SYN, I do not see the SYN-ACK why should I allow this ACK and drops it" Clear enough????

Yeah I have experience with VPN .

Check my website for more info regarding ZBFW

http://www.laguiadelnetworking.com/zone-based-firewall-and-the-self-zone-integration/

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card