Allowing Specific TCP Port Traffic in CGR 2010

Home Forums Networking Cisco Security – PIX/ASA/VPN Allowing Specific TCP Port Traffic in CGR 2010

Viewing 1 post (of 1 total)
  • Author
    Posts

  • jaredeby
    Member
    #165836

    I am attempting to setup a zone based firewall. The config below is a boiled down version in which I attempt to match a specific tcp port in order to only allow traffic on that port through. The “match port” line is not accepted by the CGR 2010 router. I have input this line based on a Cisco document, and don’t see why it wouldn’t be valid. I have a need to allow through the firewall several non-standard tcp ports and so have to figure out how to include this functionality. Since the “match protocol” works, I also attempted to use the nbar command to create a user-defined protocol for the desired tcp ports. Using “match protocol” with these new user-defined protocols doesn’t work either, however.

    class-map type inspect match-any cmap-z1-z2
    match port tcp eq 502
    match protocol ssh
    !
    policy-map type inspect pmap-z1-z2
    class type inspect cmap-z1-z2
    pass
    class class-default
    drop
    !
    zone security zone1
    description Zone1 Network
    zone security zone2
    description Zone2 Network
    zone-pair security zp-z1-z2 source zone1 destination zone2
    service-policy type inspect pmap-z1-z2

    Does anyone know what is wrong with my “match port tcp eq 502” statement? If you do, what is the proper way to only allow a specific tcp port through?

    One thing that has just occurred to me is to revisit setting up access lists. I think that I may have overlooked being able to obtain the desired functionality through an access-list. I am going to look into this today. With that said, however, I think there would be an advantage to being able to match tcp ports in a class-map rather than an access-list, but maybe my understanding has holes in it (obviously it does).

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: