No announcement yet.

Allowing Specific TCP Port Traffic in CGR 2010

  • Filter
  • Time
  • Show
Clear All
new posts

  • Allowing Specific TCP Port Traffic in CGR 2010

    I am attempting to setup a zone based firewall. The config below is a boiled down version in which I attempt to match a specific tcp port in order to only allow traffic on that port through. The "match port" line is not accepted by the CGR 2010 router. I have input this line based on a Cisco document, and don’t see why it wouldn’t be valid. I have a need to allow through the firewall several non-standard tcp ports and so have to figure out how to include this functionality. Since the “match protocol” works, I also attempted to use the nbar command to create a user-defined protocol for the desired tcp ports. Using “match protocol” with these new user-defined protocols doesn’t work either, however.

    class-map type inspect match-any cmap-z1-z2
    match port tcp eq 502
    match protocol ssh
    policy-map type inspect pmap-z1-z2
    class type inspect cmap-z1-z2
    class class-default
    zone security zone1
    description Zone1 Network
    zone security zone2
    description Zone2 Network
    zone-pair security zp-z1-z2 source zone1 destination zone2
    service-policy type inspect pmap-z1-z2

    Does anyone know what is wrong with my "match port tcp eq 502" statement? If you do, what is the proper way to only allow a specific tcp port through?

    One thing that has just occurred to me is to revisit setting up access lists. I think that I may have overlooked being able to obtain the desired functionality through an access-list. I am going to look into this today. With that said, however, I think there would be an advantage to being able to match tcp ports in a class-map rather than an access-list, but maybe my understanding has holes in it (obviously it does).