Jump to content


Cisco Port Forwarding Zone Based Firewall Trouble

cisco port forwarding zone-based firewall

  • Please log in to reply
2 replies to this topic

#1 Harley_3

Harley_3

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 12 March 2016 - 06:49 PM

I'm having trouble forwarding ports using a Cisco 1811W with Zone Based Firewall

Interface FastEthernet 1 - Zone OUTSIDE (The Internet)
Interface FastEthernet 0 - Zone DMZ (Raspberry Pi Server - 10.0.0.4)
Switchports/Wifi - Zone INSIDE (The LAN)

Basically I'm trying to forward ports from 10.0.0.4 like so...

ip nat inside source static tcp 10.0.0.4 3389 interface FastEthernet1 3389
ip nat inside source static tcp 10.0.0.4 22 interface FastEthernet1 22
ip nat inside source static tcp 10.0.0.4 8080 interface FastEthernet1 8080

and for now the ACL's are set to...

ip access-list extended ACL_DMZ_TO_OUTSIDE
permit ip any any

ip access-list extended ACL_OUTSIDE_TO_DMZ
permit ip any any

But I can't get in from the Internet, the LAN and the DMZ can both access the internet and currently each other too. Using the local IP 10.0.0.4 (Raspberry Pi) I can SSH 22, RDP 3389 and HTTP 8080 but no luck using the domain name or public IP address of Interface FastEthernet 1.

Below is mostly relevant parts of my config:
************************************
!
! Last configuration change at 18:27:06 AEDT Sat Mar 12 2016 by me
version 15.1
!
!
class-map type inspect match-any CLASS_MAP_DMZ_TO_OUTSIDE
match access-group name ACL_DMZ_TO_OUTSIDE
class-map type inspect match-any CLASS_MAP_OUTSIDE_TO_DMZ
match access-group name ACL_OUTSIDE_TO_DMZ
class-map type inspect match-any CLASS_MAP_OUTSIDE_TO_SELF
match access-group name ACL_OUTSIDE_TO_SELF
class-map type inspect match-any CLASS_MAP_INSIDE_TO_OUTSIDE
match access-group name ACL_INSIDE_TO_OUTSIDE
class-map type inspect match-any CLASS_MAP_OUTSIDE_TO_INSIDE
match access-group name ACL_OUTSIDE_TO_INSIDE
class-map type inspect match-any CLASS_MAP_DMZ_TO_INSIDE
match access-group name ACL_DMZ_TO_INSIDE
class-map type inspect match-any CLASS_MAP_INSIDE_TO_DMZ
match access-group name ACL_INSIDE_TO_DMZ
!
!
policy-map type inspect POLICY_MAP_DMZ_TO_INSIDE
class type inspect CLASS_MAP_DMZ_TO_INSIDE
inspect 
class class-default
drop
policy-map type inspect POLICY_MAP_INSIDE_TO_DMZ
class type inspect CLASS_MAP_INSIDE_TO_DMZ
inspect 
class class-default
drop
policy-map type inspect POLICY_MAP_OUTSIDE_TO_SELF
class type inspect CLASS_MAP_OUTSIDE_TO_SELF
pass
class class-default
drop
policy-map type inspect POLICY_MAP_INSIDE_TO_OUTSIDE
class type inspect CLASS_MAP_INSIDE_TO_OUTSIDE
inspect 
class class-default
drop
policy-map type inspect POLICY_MAP_OUTSIDE_TO_INSIDE
class type inspect CLASS_MAP_OUTSIDE_TO_INSIDE
inspect 
class class-default
drop
policy-map type inspect POLICY_MAP_DMZ_TO_OUTSIDE
class type inspect CLASS_MAP_DMZ_TO_OUTSIDE
pass 
class class-default
drop
policy-map type inspect POLICY_MAP_OUTSIDE_TO_DMZ
class type inspect CLASS_MAP_OUTSIDE_TO_DMZ
pass
class class-default
drop
!
zone security OUTSIDE
zone security INSIDE
zone security DMZ
zone-pair security ZONE_PAIR_OUTSIDE_TO_SELF source OUTSIDE destination self
service-policy type inspect POLICY_MAP_OUTSIDE_TO_SELF
zone-pair security ZONE_PAIR_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect POLICY_MAP_INSIDE_TO_OUTSIDE
zone-pair security ZONE_PAIR_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect POLICY_MAP_OUTSIDE_TO_INSIDE
zone-pair security ZONE_PAIR_INSIDE_TO_DMZ source INSIDE destination DMZ
service-policy type inspect POLICY_MAP_INSIDE_TO_DMZ
zone-pair security ZONE_PAIR_DMZ_TO_INSIDE source DMZ destination INSIDE
service-policy type inspect POLICY_MAP_DMZ_TO_INSIDE
zone-pair security ZONE_PAIR_OUTSIDE_TO_DMZ source OUTSIDE destination DMZ
service-policy type inspect POLICY_MAP_OUTSIDE_TO_DMZ
zone-pair security ZONE_PAIR_DMZ_TO_OUTSIDE source DMZ destination OUTSIDE
service-policy type inspect POLICY_MAP_DMZ_TO_OUTSIDE

!
!
bridge irb
!
interface FastEthernet0
description DMZ
ip address 10.0.0.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security DMZ
duplex auto
speed auto
!
interface FastEthernet1
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 100
zone-member security OUTSIDE
duplex auto
speed auto
!
!
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
bridge-group 1
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
interface BVI1
ip address 192.168.100.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list NAT interface FastEthernet1 overload
ip nat inside source static tcp 10.0.0.4 3389 interface FastEthernet1 3389
ip nat inside source static tcp 10.0.0.4 80 interface FastEthernet1 80
ip nat inside source static tcp 10.0.0.4 22 interface FastEthernet1 22
ip nat inside source static tcp 10.0.0.4 8080 interface FastEthernet1 8080
ip route 0.0.0.0 0.0.0.0 FastEthernet1
!
ip access-list extended ACL_DMZ_TO_INSIDE
permit ip any any
deny ip any any
ip access-list extended ACL_DMZ_TO_OUTSIDE
permit ip any any
ip access-list extended ACL_INSIDE_TO_DMZ
permit ip any any
deny ip any any
ip access-list extended ACL_INSIDE_TO_OUTSIDE
permit ip any any
ip access-list extended ACL_OUTSIDE_TO_DMZ
permit ip any any
ip access-list extended ACL_OUTSIDE_TO_INSIDE
permit udp any host 192.168.100.55 eq 5060
permit udp any host 192.168.100.55 range 1020 1040
permit udp any host 192.168.100.55 range 16384 16482
ip access-list extended ACL_OUTSIDE_TO_SELF
permit udp any any eq bootpc
ip access-list extended NAT
permit ip 192.168.100.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.0.255 any
deny ip any any
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
no cdp run
!
!
!
end


  • 0

#2 Harley_3

Harley_3

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 14 March 2016 - 09:07 AM

Never mind, its working


  • 0

#3 Darby Weaver

Darby Weaver

    World's Largest Home Data Center

  • Global Moderators
  • PipPipPipPipPip
  • 8315 posts
  • Gender:Male
  • Location:USA
  • Interests:Taking on new CCNA/CCNP/CCIE/CCDA/CCDP/CCDE study group members. Interested?

Posted 16 July 2016 - 07:17 PM

Ok - I was just looking at the Rasberry Pi Server and wondering whether or not to grab some ice cream to go with it and try to lab this one up with you.

 

A few months later...

 

Darby Weaver  

 

http://www.darbyslogs.blogspot.com


  • 0






Also tagged with one or more of these keywords: cisco, port forwarding, zone-based, firewall

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users