Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

port forward SSH on port 29003

Status
Not open for further replies.
creepingdeath

creepingdeath

IS-IT--Management
Aug 19, 2008
4
NZ
objective
=========

port forward SSH protocol on port 29003 using zone based firewall to a LAN host (172.16.2.1) running SSHD


current way I do port forwards
==============================
Code: 
ip port-map user-sftp port tcp 29002

zone security ZONE-out
zone security ZONE-in

zone-pair security ZP-out-to-in source ZONE-out destination ZONE-in
 service-policy type inspect PM-out-to-in
exit

interface Vlan1
 zone-member security ZONE-in
exit

interface Dialer0
 zone-member security ZONE-out
exit

class-map type inspect match-all CM-sftp
 match protocol user-sftp
 match access-group name AL-creepy-pc
exit

policy-map type inspect PM-out-to-in
 class type inspect CM-sftp
  inspect
 class class-default
  drop
 exit
exit

ip nat inside source static tcp 172.16.2.1 29002 interface Dialer0 29002

ip access-list extended AL-creepy-pc
 permit ip any host 172.16.2.1
exit

the above example works fine, i created the "ip port-map" because I was using a non standard protocol.
problem: the IOS already has SSH protocol defaulting to port 22, is there anyway I could have something like below, but use port 29003
Code: 
class-map type inspect match-all CM-ssh
 match protocol ssh
 match access-group name AL-creepy-pc
exit

policy-map type inspect PM-out-to-in
 class type inspect CM-ssh
  inspect
 class class-default
  drop
 exit
exit

I found the following command: "ip port-map ssh port tcp 29003", would that work?

the reason I ask is... with my basic understanding of the firewall... the IOS has different inspection rates depending on the traffic passing through.

eg. the IOS can inspect packets in greater depth if it is a layer 7 (application) packet and the IOS has the protocol built in (like HTTP)
eg. the IOS will inspect the packet in less dpeth if the IOS only knows the packet is TCP or UDP

now, if I could use the following command: "match protocol ssh" but on port 29003, would the IOS inspect the packets in greater depth than if I did the following to do the port forward:
Code: 
ip access-list extended AL-ssh
 permit tcp any host 172.16.2.1 eq 29003
exit

class-map type inspect match-all CM-ssh
 match class-map AL-ssh
exit

policy-map type inspect PM-out-to-in
 class type inspect CM-ssh
  inspect
 class class-default
  drop
 exit
exit

sorry if I make no sense.

thanks.

 
Sort by date Sort by votes
Updating PAM is generally for CBAC, but should work for ZBF.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
187
Zero6
Zero6
testman1
  • Locked
  • Question
SIP telephone ring on second call
Replies
0
Views
181
testman1
testman1
Willi DB
  • Locked
  • Question
Polycom410 Forward an incoming call
Replies
0
Views
123
Willi DB
Willi DB
Gartech
  • Locked
  • Question
LAN Port Test Device
Replies
3
Views
190
ipohead
ipohead
BleuBell
  • Locked
  • Question
Command Rejected : Exceeded NNI ports Allowed
Replies
0
Views
135
BleuBell
BleuBell

Part and Inventory Search

Sponsor

Back
Top