Unable to open specific port on Cisco 2921 to allow traffic through NAT address

Scenario:
We have a vertical market software that allows 3rd party communication to it through ports 3070 and 5162
Our Gateway, a Cisco 2921, is setup with port mapping, class-map, policy map, zones, access-groups and ACL
We have setup NAT from public IP to internal IP address for the specific server/application
created ip port-map for port 3070
created ip port-map for port 5162
added port maps to appropriate class-map

Telnet from designated outside IP range to port 3070 works
Telnet to port 5162 fails
Ping communication to IP address (public) works

Unfortunately our Systems Administrator isn't around any longer (this is one of the reasons) and it's been years since I worked with Cisco CLI.

Any assistance would be appreciated as to why 3070 works but not 5162

Thank you
rviethLead ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ffleismaSenior Network EngineerCommented:
If you could provide you router configuration, then we might be able to identify the issue. It would be hard to diagnose and troubleshoot without configuration details. But two things to look at are the ACL and NAT configuration.
rviethLead ConsultantAuthor Commented:
Thanks for the response! Conf below. Having looked at it now I can see the mess it is - just warning in advance!
Server/IPs in question are Outside 67.xxx.xxx.99 inside 192.168.10.63

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXX
!
boot-start-marker
boot system flash0:/c2900-universalk9-mz.SPA.151-4.M1.bin
boot-end-marker
!
!
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
 server 192.168.10.32
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 group sdm-vpn-server-group-1 local
aaa authentication login abc local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 group sdm-vpn-server-group-1 local
aaa authorization network abc local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
no ip domain lookup
ip domain name XXXXXXXXXXXXXX.com
no ip port-map kazaa2 port tcp description Kazaa Version 2
ip port-map user-Mitel_TCP_1 port tcp 5566 5567 44000 4444 description Mitel TCP Ports
ip port-map user-ctcp-ezvpnsvr port tcp 10000
ip port-map user-Mitel_UDP_2 port udp 5567 description Mitel UDP Ports
ip port-map user-Jenark_TCP_2 port tcp 5162 description Jenark TCP 5162
ip port-map user-Jenark_TCP_1 port tcp 3070 description Jenark TCP 3070
ip port-map user-Jenark_UDP_1 port udp 3070 description Jenark UDP 3070
ip port-map user-Jenark_UDP_2 port udp 5162 description Jenark UDP 5162
!
multilink bundle-name authenticated
!
parameter-map type inspect global
 WAAS enable
 log dropped-packets enable
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-242173954
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-242173954
 revocation-check none
 rsakeypair TP-self-signed-242173954
!
!
crypto pki certificate chain TP-self-signed-242173954
 certificate self-signed 01
  30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32343231 37333935 34301E17 0D313130 39303131 37343635
  395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3234 32313733
  39353430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  C55325F0 FACE1AEF A5DBBFE2 EE31CD37 C831CB6F E5A2133C 24790A78 3B8ADCBA
  12CB54B0 718A9D56 5F2FB05B 3B22B24B 6535691D D6058E23 29626D69 4934317F
  C13DE1C4 4AE870ED 2E93F080 5CB33DC2 ABAF4A98 87411C96 710D59BA 555902A3
  06EEB9A4 5C60EADF DE0DA620 664C7C55 EA5D82AD E2CB5830 D9B08BD6 591A6E6D
  02030100 01A37D30 7B300F06 03551D13 0101FF04 05300301 01FF3028 0603551D
  11042130 1F821D48 4D492E68 616D6D65 72736D69 74686D61 6E616765 6D656E74
  2E636F6D 301F0603 551D2304 18301680 148C66BC EF6E587D 0CCB3B87 F71E75D3
  A1BA39AD 6C301D06 03551D0E 04160414 8C66BCEF 6E587D0C CB3B87F7 1E75D3A1
  BA39AD6C 300D0609 2A864886 F70D0101 04050003 8181001F 6A307E0B C85F43C6
  7DCF07E7 A0BE4590 85BC64CF 174444C5 302172D8 224E9C51 11706239 B804E762
  D40757A1 6B90C9B4 79D7393F C1D3D753 997C8334 E6BCF7D4 ABC0CA50 A0AF7D46
  E976C3EA 034D7E45 C2A90C94 C4FEC3DA B333BB72 2A333538 C0FF17ED 6E42C14B
  AAC62AC7 481005D7 607D16B7 9B83DC04 3F136D08 F5B123
        quit
license udi pid CISCO2921/K9 sn FTX1532AJHF
license boot module c2900 technology-package securityk9
!
!
username admin privilege 15 secret 5 $1$8/.L$xUF1Bg58oJA0Pk/Swgw9W0
username hmiserver privilege 15 secret 5 $1$Xrha$E9p0Afc2lTrR0h1YLU4UE0
!
redundancy
!
!
!
!
no ip ftp passive
!
class-map type inspect match-any Web01-inbound
 match protocol http
 match protocol https
 match protocol ftp
 match protocol ftps
 match protocol tftp
 match protocol nfs
 match protocol mysql
 match protocol sql-net
 match protocol sqlserv
 match protocol sqlsrv
 match protocol icmp
 match protocol dns
 match protocol ms-sql
 match protocol ms-sql-m
 match protocol smtp
 match protocol Other
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
 match class-map SDM_GRE
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any DMZ-outbound
 match protocol http
 match protocol https
 match protocol smtp
 match protocol ftp
 match protocol dns
 match protocol icmp
class-map type inspect match-all ccp-cls--1
 match access-group name dmz-outbound
 match class-map DMZ-outbound
class-map type inspect match-all ccp-cls--3
 match access-group name DMZ-Inzone
 match class-map Web01-inbound
class-map type inspect match-all ccp-cls--2
 match access-group name dmz-inbound
class-map type inspect match-any icmp
 match protocol icmp
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol pptp
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
 match protocol Other
 match protocol user-Mitel_TCP_1
 match protocol user-Mitel_UDP_2
 match protocol Other
 match protocol Other
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any SMTP
 match protocol smtp
class-map type inspect match-any sdm-service-sdm-pol-NATOutsideToInside-1
 match protocol icmp
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match protocol user-ctcp-ezvpnsvr
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
 match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any TCP-UDP
 match protocol tcp
 match protocol udp
class-map type inspect match-any Gatekeep
 match protocol https
 match protocol icmp
 match protocol user-Jenark_TCP_1
 match protocol user-Jenark_UDP_1
 match protocol user-Jenark_UDP_2
 match protocol user-Jenark_TCP_2
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any sdm-service-ccp-inspect-1
 match protocol http
 match protocol https
 match protocol icmp
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any Mitel-Voip
 match protocol user-Mitel_TCP_1
class-map type inspect match-any cpp-permit
 match protocol icmp
class-map type inspect match-any internal-dmz
 match protocol http
 match protocol https
 match protocol icmp
 match protocol ms-sql
 match protocol ms-sql-m
 match protocol smtp
 match protocol mysql
 match protocol Other
 match protocol ftp
 match protocol ftps
class-map type inspect match-any OWA
 match protocol http
 match protocol https
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
 match class-map SMTP
 match access-group name MXLogic
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-2
 match class-map OWA
 match access-group name HMImail
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-any MS-RDP
 match protocol Other
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-3
 match class-map MS-RDP
 match access-group name RAS
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-4
 match class-map Gatekeep
 match access-group name Gatekeeper
class-map type inspect match-any ccp-dmz-protocols
 match protocol http
 match protocol https
 match protocol icmp
 match protocol smtp
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-dmz-traffic
 match access-group name dmz-traffic
 match class-map ccp-dmz-protocols
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
 match class-map internal-dmz
 match access-group name Internal
class-map type inspect match-all ccp-protocol-http
 match class-map sdm-service-ccp-inspect-1
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_EASY_VPN_SERVER_PT
  pass
 class type inspect icmp
  inspect
 class class-default
  drop
policy-map type inspect ccp-policy-ccp-cls--1
 class type inspect ccp-cls--1
  inspect
 class class-default
  pass
policy-map type inspect ccp-policy-ccp-cls--3
 class type inspect ccp-cls--3
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit-dmzservice
 class type inspect ccp-dmz-traffic
  inspect
 class type inspect ccp-cls-ccp-permit-dmzservice-1
  inspect
 class class-default
  drop
policy-map type inspect ccp-pol-outToIn
 class type inspect ccp-cls-ccp-pol-outToIn-4
  inspect
 class type inspect ccp-cls-ccp-pol-outToIn-3
  inspect
 class type inspect ccp-cls-ccp-pol-outToIn-2
  inspect
 class type inspect ccp-cls-ccp-pol-outToIn-1
  inspect
 class type inspect CCP_PPTP
  pass
 class class-default
  drop log
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
!
zone security in-zone
zone security out-zone
zone security dmz-zone
zone security ezvpn-zone
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
 service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
 service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
 service-policy type inspect ccp-permit-dmzservice
zone-pair security sdm-zp-dmz-zone-out-zone source dmz-zone destination out-zone
 service-policy type inspect ccp-policy-ccp-cls--1
zone-pair security sdm-zp-dmz-zone-in-zone source dmz-zone destination in-zone
 service-policy type inspect ccp-policy-ccp-cls--3
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn2 source dmz-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination dmz-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in3 source ezvpn-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
!
crypto ctcp port 10000
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 hash md5
 authentication pre-share
 group 2
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
!
interface GigabitEthernet0/0
 description HMI LAN$ES_LAN$$FW_INSIDE$
 no ip address
 no ip proxy-arp
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.1
 description Data VLAN$ETH-LAN$$FW_INSIDE$
 encapsulation dot1Q 1 native
 ip address 192.168.10.250 255.255.255.0 secondary
 ip address 192.168.12.254 255.255.255.0 secondary
 ip address 192.168.10.254 255.255.255.0
 ip access-group 101 in
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 ip policy route-map policy_1
!
interface GigabitEthernet0/0.2
 description Voice VLAN$ETH-LAN$$FW_DMZ$
 encapsulation dot1Q 2
 ip address 10.10.1.254 255.255.255.0
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 zone-member security dmz-zone
 ip policy route-map policy_1
!
interface GigabitEthernet0/1
 description Data Center Integra WAN OUTSIDE
 ip address 67.XXX.XXX.102 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 description checkpoint firewall $FW_INSIDE$
 ip address 172.16.0.2 255.255.255.0
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 duplex auto
 speed auto
!
ip local pool SDM_POOL_1 192.168.14.10 192.168.14.250
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.10.63 67.XXX.XXX.99
ip nat inside source static 10.10.1.49 67.XXX.XXX.100
ip nat inside source static 192.168.10.45 67.XXX.XXX.101
ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip route 192.168.15.0 255.255.255.0 192.168.10.40
ip route 192.168.20.0 255.255.255.0 172.16.0.1
ip route 192.168.30.0 255.255.255.0 172.16.0.1
ip route 192.168.40.0 255.255.255.0 172.16.0.1
ip route 192.168.41.0 255.255.255.0 172.16.0.1
ip route 192.168.50.0 255.255.255.0 172.16.0.1
ip route 192.168.51.0 255.255.255.0 172.16.0.1
ip route 192.168.60.0 255.255.255.0 172.16.0.1
ip route 192.168.70.0 255.255.255.0 172.16.0.1
!
ip access-list extended DMZ-Inzone
 remark CCP_ACL Category=128
 permit ip 10.10.1.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 10.10.1.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list extended Gatekeeper
 remark CCP_ACL Category=128
 permit ip any host 192.168.10.45
 permit ip any host 192.168.10.24
 permit ip any host 192.168.10.63
ip access-list extended HMImail
 remark CCP_ACL Category=128
 permit ip any host 192.168.10.7
ip access-list extended Internal
 remark CCP_ACL Category=128
 permit ip 192.168.0.0 0.0.255.255 10.10.1.0 0.0.0.255
ip access-list extended MXLogic
 remark CCP_ACL Category=128
 permit ip 0.0.0.0 255.255.248.0 host 192.168.10.7
ip access-list extended Mitel
 permit ip any host 192.168.20.246
 remark CCP_ACL Category=128
ip access-list extended RAS
 remark CCP_ACL Category=128
 permit ip any host 192.168.10.5
 permit ip any host 192.168.10.23
 permit ip any host 192.168.10.107
 permit ip any host 192.168.10.24
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
ip access-list extended SDM_IP
 remark CCP_ACL Category=1
 permit ip any any
ip access-list extended dmz-inbound
 remark CCP_ACL Category=128
 permit ip 10.10.1.0 0.0.0.255 192.168.0.0 0.0.255.255
ip access-list extended dmz-outbound
 remark CCP_ACL Category=128
 permit ip 10.10.1.0 0.0.0.255 any
ip access-list extended dmz-traffic
 remark CCP_ACL Category=1
 permit ip any host 10.10.1.49
!
ip radius source-interface GigabitEthernet0/0.1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 permit 10.10.1.0 0.0.0.255
access-list 23 permit 192.168.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 66.XXX.XXX.224 0.0.0.31 any
access-list 100 permit ip 67.XXX.XXX.96 0.0.0.7 any
access-list 101 permit icmp host 192.168.10.49 host 10.10.1.49 log
access-list 101 permit ip host 192.168.10.49 host 10.10.1.49 log
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 permit ip host 192.168.10.49 any
access-list 110 permit ip host 192.168.10.45 any
access-list 110 permit ip host 10.10.1.49 any
access-list 110 permit ip host 192.168.10.107 any
access-list 110 permit ip host 192.168.10.24 any
access-list 110 permit ip host 192.168.10.63 any
!
!
!
!
route-map policy_1 permit 110
 match ip address 110
 set ip default next-hop 67.XXX.XXX.97
!
!
snmp-server community XXXXXX RO
radius-server host 192.168.10.32
!
!
!
control-plane
!
!
banner login ^CAuthorized Access Only.  This system is the property of XXXXXXXXX.  Disconnect Immediately if you are not an authorized user!^C
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

#exit
ffleismaSenior Network EngineerCommented:
I've noticed you have both TCP and UDP. Telnet uses TCP, so doing telnet is inconclusive to test UDP.
ip port-map user-Jenark_TCP_2 port tcp 5162 description Jenark TCP 5162
ip port-map user-Jenark_TCP_1 port tcp 3070 description Jenark TCP 3070
ip port-map user-Jenark_UDP_1 port udp 3070 description Jenark UDP 3070
ip port-map user-Jenark_UDP_2 port udp 5162 description Jenark UDP 5162
 
 
class-map type inspect match-any Gatekeep
 match protocol https
 match protocol icmp
 match protocol user-Jenark_TCP_1
 match protocol user-Jenark_UDP_1
 match protocol user-Jenark_UDP_2
 match protocol user-Jenark_TCP_2

Open in new window


Second thing, you might want to test if TCP-5162 is definitely opened on the host end. On host-192.168.10.63 you can try "telnet 127.0.0.1 5162". If this fails then issue might be on the host itself (telnet 127.0.0.1 3070, should work as you already mentioned you can do that from external test to telnet 67.xxx.xxx.99 3070).

Can you confirm that TCP-5162 is indeed open on the host end? From the looks of the configuration, everything applied for 3070 is also applied for 5162 in relation to the filtering and NAT configuration, unless I have overlooked something.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

ffleismaSenior Network EngineerCommented:
I don't have much experience on Zone-Based firewall, but here is my understanding.

I've noticed the policy action you are using relating to ports 3070 & 5162 is inspect.

ip port-map user-Jenark_TCP_2 port tcp 5162 description Jenark TCP 5162
ip port-map user-Jenark_TCP_1 port tcp 3070 description Jenark TCP 3070
ip port-map user-Jenark_UDP_1 port udp 3070 description Jenark UDP 3070
ip port-map user-Jenark_UDP_2 port udp 5162 description Jenark UDP 5162
 
 
class-map type inspect match-any Gatekeep
 match protocol https
 match protocol icmp
 match protocol user-Jenark_TCP_1
 match protocol user-Jenark_UDP_1
 match protocol user-Jenark_UDP_2
 match protocol user-Jenark_TCP_2

ip access-list extended Gatekeeper
 remark CCP_ACL Category=128
 permit ip any host 192.168.10.45
 permit ip any host 192.168.10.24
 permit ip any host 192.168.10.63
 
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-4
 match class-map Gatekeep
 match access-group name Gatekeeper
 
policy-map type inspect ccp-pol-outToIn
 class type inspect ccp-cls-ccp-pol-outToIn-4
  inspect
 class type inspect ccp-cls-ccp-pol-outToIn-3
  inspect
 class type inspect ccp-cls-ccp-pol-outToIn-2
  inspect
 class type inspect ccp-cls-ccp-pol-outToIn-1
  inspect
 class type inspect CCP_PPTP
  pass
 class class-default
  drop log

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
 service-policy type inspect ccp-pol-outToIn


There is a difference between inspect and pass action.
Pass—This action allows the router to forward traffic from one zone to another.
Inspect—The inspect action offers state-based traffic control. For example, if traffic from the private zone to the Internet zone in the earlier example network is inspected, the router maintains connection or session information for TCP and User Datagram Protocol (UDP) traffic. Therefore, the router permits return traffic sent from Internet-zone hosts in reply to private zone connection requests.
Source: (Ctrl+F Zone-Based Policy Firewall Actions)
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

So if traffic is initiated externally, the traffic is not allowed by the ZBF.

My suggestion is to change the action to pass as shown on line 3 below.
policy-map type inspect ccp-pol-outToIn
 class type inspect ccp-cls-ccp-pol-outToIn-4
  pass
 class type inspect ccp-cls-ccp-pol-outToIn-3
  inspect
 class type inspect ccp-cls-ccp-pol-outToIn-2
  inspect
 class type inspect ccp-cls-ccp-pol-outToIn-1
  inspect
 class type inspect CCP_PPTP
  pass
 class class-default
  drop log

Open in new window


Other experts can correct me if I'm wrong on this.
rviethLead ConsultantAuthor Commented:
ffleisma,
Thanks for the input! I was of the same mindset as you - same settings, same filters, different results. I understand on UDP testing. I checked the server and it appears that 5162 TCP was not open (netstat -a shows 3070 but not 5162 for TCP). I setup an inbound policy in Windows Firewall with advanced security for 5162 TCP allow and still no go. Shutoff both firewall and security for test and still no go. The last submission I believe is incorrect, it does need to be inspect, not pass. When you set to pass it breaks the connection completely and does not allow any traffic through. I'm going to keep hitting on the server side for open port and see what happens. I'll let you know. Thanks again!
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Inspect is correct in this case, you are inspecting for outside->in.  What inspect does is permit a "flow" through the firewall so the outside->inside is allowed in a "inspect" and inside->outside is allowed as part of that "flow".  With "pass" you would have to allow the traffic on both interfaces and include a pass for the outside->inside and inside->outside.

This is correct as the policy map is applied on the outside to inside.  If it were applied on the inside to outside it would drop the traffic unless it was initiated from the inside.
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Summary: your firewall is correct

If netstat -ano is not showing the port under either TCP or UDP, then the software is not opening the port on your system and you will need to investigate that.

Note, look under both 0.0.0.0 entries and entries related to your ip address for that host (EG: 192.168.1.10:5162)

Note 2: I noticed this policy is from SDM/CCP.  I hate that software.  As a little tip, if you are going to be administering this for a while, learn the CLI and make your class and policy maps make a lot of sense.  EX:

policy-map type inspect ZBF-POL-OUT-IN

class-map type inspect TCP_UDP_GATEKEEPER

ip port-map udp_gatekeeper
ip port-map tcp_gatekeeper


etc

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rviethLead ConsultantAuthor Commented:
Thanks for the help everyone. The issue wasn't with the Gateway config - hard set port allow rule on the server in both Windows Firewall and Kaspersky and we are good to go.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.