Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
787
Views
0
Helpful
3
Replies

QOS grabbing those return packets

brom
Level 1
Level 1

‎11-08-2007 08:46 PM - edited ‎03-03-2019 07:28 PM

Hi Guys,

I have a QOS question. Im trying to QOS return packets with random port numbers.

I'm doing basic outgoing dynamic NAT overloading to an outside address. (DSL)

I'm also doing some static NAT to redirect connections to from the outside address to my web server.

I have a QOS policy on the outgoing DSL interface to classify the packets into one of three queues. (high, medium, low speed with different shaping / priorities on each. The QOS packet matching is handled by mostly by nbar

One of the main packets I prioritize is RDP (MS Remote Desktop).

I use the custom NBAR line "ip nbar custom remote_desktop dest tcp 3389"

This works great.. every time I make an RDP connection from my local lan to somewhere on the internet the packets get correctly classified and all is good.

The problem begins when I RDP INTO my network from the internet.

The return packets are not being QOS'd

Here's the packet flow

* The packet with TCP 3389 dest hits my router from the internet dialer interface.

* The router does not care about QOS in any way at this point as I only have outgoing QOS enabled.

* The packet is natted to the internal server

* The server turns around and replies to the packet.... but... as with most TCP sessions, the reply uses random port numbers to respond.

* The reply packet reaches the router and the router places it into the default QOS group as the port does not match 3389

So does anyone have any idea how I can QOS the return packets?

Here's a config snippit (using an 1800)

!

ip nbar custom remote_desktop dest tcp 3389

!

class-map match-any qos-high

match protocol citrix

match protocol ssh

match protocol dns

match protocol telnet

match protocol snmp

match protocol dhcp

match protocol remote_desktop

class-map match-any qos-low

match protocol smtp

match protocol ftp

match protocol exchange

match protocol printer

match protocol nntp

match protocol secure-ftp

match protocol rcmd

class-map match-any qos-limit

match access-group qos-limit

!

policy-map qos-policy-internet

class qos-low

(do lots of things in here)

class qos-high

(do lots of things in here)

class qos-limit

(do lots of things in here)

class class-default

!

interface VLAN1

description Local LAN

ip address 192.168.0.254 255.255.255.0

ip nat inside

!

interface Dialer1

description Internet Connection

ip nat outside

ip inspect insp-fw-in in

ip inspect insp-fw-out out

service-policy output qos-policy-internet

!

ip nat inside source route-map NAT-MAP interface Dialer1 overload

ip nat inside source static tcp 192.168.0.123 3389 interface Dialer1 3389

!

ip access-list extended nat-outbound

remark NAT ACL

remark Permitted addresses to NAT

permit ip 192.168.0.0 0.0.0.255 any

remark External IP Address does not need natting (dont log its attempts)

deny ip host <outside IP> any

remark Deny All and log all other traffic trying to NAT

deny ip any any log

!

route-map NAT-MAP permit 1

match ip address nat-outbound

!

I can think of a few ways to perform this QOS including using reflexive access lists or tag the packets on the windows server but that all seems hard. There must be an easy way to do this.

Any ideas would be appreciated.

Regards

Ben

Labels:
0 Helpful
3 Replies 3

Kevin Dorrell
Level 10
Level 10

‎11-09-2007 05:30 AM

Ben,

The reply packets will be destined to a ramdom port because the original connection came from a random port. But what about their source address - won't that be TCP 3389? So couldn't you match the TCP source port with an extended access list?

ip access-list fromRTD

 permit tcp any eq 3389 any

Kevin Dorrell

Luxembourg

0 Helpful

brom
Level 1
Level 1
In response to Kevin Dorrell

‎11-09-2007 06:09 AM

Kevin,

I had a look at that. It all seems to depend on the protocol being used. Some services use a static source port but most come from a random.

Unfortunately RDP seems to have a random port for both source and dest.

Ben

0 Helpful

Kevin Dorrell
Level 10
Level 10
In response to brom

‎11-09-2007 06:19 AM

In that case, it will be necessary to do some deeper protocol inspection, rather like is done for passive FTP. I suppose there isn't a pre-defined nbar definition for RDT?

Kevin Dorrell

Luxembourg

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card