jaredebyMemberOct 02, 2015 at 11:37 am #165836
I am attempting to setup a zone based firewall. The config below is a boiled down version in which I attempt to match a specific tcp port in order to only allow traffic on that port through. The “match port” line is not accepted by the CGR 2010 router. I have input this line based on a Cisco document, and don’t see why it wouldn’t be valid. I have a need to allow through the firewall several non-standard tcp ports and so have to figure out how to include this functionality. Since the “match protocol” works, I also attempted to use the nbar command to create a user-defined protocol for the desired tcp ports. Using “match protocol” with these new user-defined protocols doesn’t work either, however.
class-map type inspect match-any cmap-z1-z2
match port tcp eq 502
match protocol ssh
policy-map type inspect pmap-z1-z2
class type inspect cmap-z1-z2
zone security zone1
description Zone1 Network
zone security zone2
description Zone2 Network
zone-pair security zp-z1-z2 source zone1 destination zone2
service-policy type inspect pmap-z1-z2
Does anyone know what is wrong with my “match port tcp eq 502” statement? If you do, what is the proper way to only allow a specific tcp port through?
One thing that has just occurred to me is to revisit setting up access lists. I think that I may have overlooked being able to obtain the desired functionality through an access-list. I am going to look into this today. With that said, however, I think there would be an advantage to being able to match tcp ports in a class-map rather than an access-list, but maybe my understanding has holes in it (obviously it does).
You must be logged in to reply to this topic.