Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET

Allowing Specific TCP Port Traffic in CGR 2010

Home Forums Networking Cisco Security – PIX/ASA/VPN Allowing Specific TCP Port Traffic in CGR 2010

Viewing 1 post (of 1 total)
  • Author
    Posts

  • jaredeby
    Member
    #165836

    I am attempting to setup a zone based firewall. The config below is a boiled down version in which I attempt to match a specific tcp port in order to only allow traffic on that port through. The “match port” line is not accepted by the CGR 2010 router. I have input this line based on a Cisco document, and don’t see why it wouldn’t be valid. I have a need to allow through the firewall several non-standard tcp ports and so have to figure out how to include this functionality. Since the “match protocol” works, I also attempted to use the nbar command to create a user-defined protocol for the desired tcp ports. Using “match protocol” with these new user-defined protocols doesn’t work either, however.

    class-map type inspect match-any cmap-z1-z2
    match port tcp eq 502
    match protocol ssh
    !
    policy-map type inspect pmap-z1-z2
    class type inspect cmap-z1-z2
    pass
    class class-default
    drop
    !
    zone security zone1
    description Zone1 Network
    zone security zone2
    description Zone2 Network
    zone-pair security zp-z1-z2 source zone1 destination zone2
    service-policy type inspect pmap-z1-z2

    Does anyone know what is wrong with my “match port tcp eq 502” statement? If you do, what is the proper way to only allow a specific tcp port through?

    One thing that has just occurred to me is to revisit setting up access lists. I think that I may have overlooked being able to obtain the desired functionality through an access-list. I am going to look into this today. With that said, however, I think there would be an advantage to being able to match tcp ports in a class-map rather than an access-list, but maybe my understanding has holes in it (obviously it does).

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

Live on Tuesday, September 28th, at 9:30 AM ET!

GET-IT: EndPoint Management 1-Day Virtual Conference

The management of endpoints is complicated and the risks associated with having unsecured devices roaming outside the firewall are quickly becoming a targeted vector for malicious users. In this Petri one-day virtual conference, we will be diving deep into how you can improve the way you manage your endpoints and learn from industry experts and MVPs about best practices, available tools to streamline your operations, and what's coming soon with Windows 11.

RSVP Now!

Sponsored By

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: