Sign in to follow this  
Followers 0
Harley_3

Cisco Port Forwarding Zone Based Firewall Trouble

3 posts in this topic

I'm having trouble forwarding ports using a Cisco 1811W with Zone Based Firewall

Interface FastEthernet 1 - Zone OUTSIDE (The Internet)
Interface FastEthernet 0 - Zone DMZ (Raspberry Pi Server - 10.0.0.4)
Switchports/Wifi - Zone INSIDE (The LAN)

Basically I'm trying to forward ports from 10.0.0.4 like so...

ip nat inside source static tcp 10.0.0.4 3389 interface FastEthernet1 3389
ip nat inside source static tcp 10.0.0.4 22 interface FastEthernet1 22
ip nat inside source static tcp 10.0.0.4 8080 interface FastEthernet1 8080

and for now the ACL's are set to...

ip access-list extended ACL_DMZ_TO_OUTSIDE
permit ip any any

ip access-list extended ACL_OUTSIDE_TO_DMZ
permit ip any any

But I can't get in from the Internet, the LAN and the DMZ can both access the internet and currently each other too. Using the local IP 10.0.0.4 (Raspberry Pi) I can SSH 22, RDP 3389 and HTTP 8080 but no luck using the domain name or public IP address of Interface FastEthernet 1.

Below is mostly relevant parts of my config:
************************************
!
! Last configuration change at 18:27:06 AEDT Sat Mar 12 2016 by me
version 15.1
!
!
class-map type inspect match-any CLASS_MAP_DMZ_TO_OUTSIDE
match access-group name ACL_DMZ_TO_OUTSIDE
class-map type inspect match-any CLASS_MAP_OUTSIDE_TO_DMZ
match access-group name ACL_OUTSIDE_TO_DMZ
class-map type inspect match-any CLASS_MAP_OUTSIDE_TO_SELF
match access-group name ACL_OUTSIDE_TO_SELF
class-map type inspect match-any CLASS_MAP_INSIDE_TO_OUTSIDE
match access-group name ACL_INSIDE_TO_OUTSIDE
class-map type inspect match-any CLASS_MAP_OUTSIDE_TO_INSIDE
match access-group name ACL_OUTSIDE_TO_INSIDE
class-map type inspect match-any CLASS_MAP_DMZ_TO_INSIDE
match access-group name ACL_DMZ_TO_INSIDE
class-map type inspect match-any CLASS_MAP_INSIDE_TO_DMZ
match access-group name ACL_INSIDE_TO_DMZ
!
!
policy-map type inspect POLICY_MAP_DMZ_TO_INSIDE
class type inspect CLASS_MAP_DMZ_TO_INSIDE
inspect
class class-default
drop
policy-map type inspect POLICY_MAP_INSIDE_TO_DMZ
class type inspect CLASS_MAP_INSIDE_TO_DMZ
inspect
class class-default
drop
policy-map type inspect POLICY_MAP_OUTSIDE_TO_SELF
class type inspect CLASS_MAP_OUTSIDE_TO_SELF
pass
class class-default
drop
policy-map type inspect POLICY_MAP_INSIDE_TO_OUTSIDE
class type inspect CLASS_MAP_INSIDE_TO_OUTSIDE
inspect
class class-default
drop
policy-map type inspect POLICY_MAP_OUTSIDE_TO_INSIDE
class type inspect CLASS_MAP_OUTSIDE_TO_INSIDE
inspect
class class-default
drop
policy-map type inspect POLICY_MAP_DMZ_TO_OUTSIDE
class type inspect CLASS_MAP_DMZ_TO_OUTSIDE
pass
class class-default
drop
policy-map type inspect POLICY_MAP_OUTSIDE_TO_DMZ
class type inspect CLASS_MAP_OUTSIDE_TO_DMZ
pass
class class-default
drop
!
zone security OUTSIDE
zone security INSIDE
zone security DMZ
zone-pair security ZONE_PAIR_OUTSIDE_TO_SELF source OUTSIDE destination self
service-policy type inspect POLICY_MAP_OUTSIDE_TO_SELF
zone-pair security ZONE_PAIR_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect POLICY_MAP_INSIDE_TO_OUTSIDE
zone-pair security ZONE_PAIR_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect POLICY_MAP_OUTSIDE_TO_INSIDE
zone-pair security ZONE_PAIR_INSIDE_TO_DMZ source INSIDE destination DMZ
service-policy type inspect POLICY_MAP_INSIDE_TO_DMZ
zone-pair security ZONE_PAIR_DMZ_TO_INSIDE source DMZ destination INSIDE
service-policy type inspect POLICY_MAP_DMZ_TO_INSIDE
zone-pair security ZONE_PAIR_OUTSIDE_TO_DMZ source OUTSIDE destination DMZ
service-policy type inspect POLICY_MAP_OUTSIDE_TO_DMZ
zone-pair security ZONE_PAIR_DMZ_TO_OUTSIDE source DMZ destination OUTSIDE
service-policy type inspect POLICY_MAP_DMZ_TO_OUTSIDE
!
!
!
bridge irb
!
interface FastEthernet0
description DMZ
ip address 10.0.0.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security DMZ
duplex auto
speed auto
!
interface FastEthernet1
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 100
zone-member security OUTSIDE
duplex auto
speed auto
!
!
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
bridge-group 1
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
interface BVI1
ip address 192.168.100.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list NAT interface FastEthernet1 overload
ip nat inside source static tcp 10.0.0.4 3389 interface FastEthernet1 3389
ip nat inside source static tcp 10.0.0.4 80 interface FastEthernet1 80
ip nat inside source static tcp 10.0.0.4 22 interface FastEthernet1 22
ip nat inside source static tcp 10.0.0.4 8080 interface FastEthernet1 8080
ip route 0.0.0.0 0.0.0.0 FastEthernet1
!
ip access-list extended ACL_DMZ_TO_INSIDE
permit ip any any
deny ip any any
ip access-list extended ACL_DMZ_TO_OUTSIDE
permit ip any any
ip access-list extended ACL_INSIDE_TO_DMZ
permit ip any any
deny ip any any
ip access-list extended ACL_INSIDE_TO_OUTSIDE
permit ip any any
ip access-list extended ACL_OUTSIDE_TO_DMZ
permit ip any any
ip access-list extended ACL_OUTSIDE_TO_INSIDE
permit udp any host 192.168.100.55 eq 5060
permit udp any host 192.168.100.55 range 1020 1040
permit udp any host 192.168.100.55 range 16384 16482
ip access-list extended ACL_OUTSIDE_TO_SELF
permit udp any any eq bootpc
ip access-list extended NAT
permit ip 192.168.100.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.0.255 any
deny ip any any
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
no cdp run
!
!
!
end

0

Share this post


Link to post
Share on other sites

Ok - I was just looking at the Rasberry Pi Server and wondering whether or not to grab some ice cream to go with it and try to lab this one up with you.

 

A few months later...

 

Darby Weaver

 

http://www.darbyslogs.blogspot.com

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0