Guys I am using a cisco 2911 router with three interfaces: Gi0/0 connected through a switch to all my servers and Gi0/2 which will connect to another server, and Gi0/1 is my outside interface connecting through a switch to two ISP's.
I have webservers and Terminal servers/File Servers with 10.0.0.0 network address connected throught My Gi0/0 interface.
Now I want to implement a Cisco Advanced firewall for security on my router using CCP.I want the firewall to work such that it allows external users to access the servers on Gi0/0 through ports 80,23,25,20,21,53, 110,3389. and to access the SIP server on Gi0/2. My issue is can i just create two DMZ's for both interface Gi0/0 and Gi0/2 without creating an inside zone and Gi0/1 as outside zone as my internal traffic is mostly server based and the users connect remotely through terminal server to access resourcess using RDP, secondly how do I open the relevant ports.I have checked alot and all I have seen is just basic process on using the wizard I have no idea how to go about this issue.

Would appreciate some assistance on this.

Hello,

You can acheive this by configuring a Zone Based Firewall on your router. You can refer the below documents to understand the basics of ZBFW http://yadhutony.blogspot.in/2012/10/cisco-ios-zone-based-firewall-step-by.html and http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml . Yeah, you can have two DMZ zones configured on your firewall. Also you can easily allow the required ports using a ZBFW configuration (refer documents).
I would personally suggest not to use ccp during your configuration.

Regards,
Tony

_________________
http://yadhutony.blogspot.com

Thanks for the link, I referred to it and came up with the following configuration on my router for Outside users to be able to access my inside network resources on the 80,23,25,20,21,53, 110,3389 ports would appreciate if someone could look at it and see if it is ok.

Also can i use port numbers or would I have to use port mapping to define ports that are not present in the router?

like this : ip port-map user-RDP port tcp 3389


Zone security out-zone
zone security in-zone

interface gi0/1
Zone-member security out-zone

interface gi0/0
zone-member security in-zone

interface gi0/2
zone-member security in-zone
exit

zone-pair security OUT-IN source out-zone destination in-zone

ip access-list extended OUTSIDE-TO-INSIDE
permit tcp any 10.0.0.0 0.0.0.255 eq ftp
permit tcp any 10.0.0.0 0.0.0.255 eq pop3
permit tcp any 10.0.0.0 0.0.0.255 eq 3389
permit tcp any 10.0.0.0 0.0.0.255 eq www
permit tcp any 10.0.0.0 0.0.0.255 eq 25
permit tcp any 10.0.0.0 0.0.0.255 eq 53
permit tcp any 10.0.0.0 0.0.0.255 eq 143
permit tcp any 10.0.0.0 0.0.0.255 eq 443
permit tcp any 10.0.3.254 0.0.0.0 eq www
permit tcp any 10.0.3.254 0.0.0.0 eq 3389
permit tcp any 10.0.3.254 0.0.0.0 eq 5060
permit tcp any 10.0.3.254 0.0.0.0 eq 5061

class-map type inspect match-all OUTSIDE-INSIDE-CLASS
match access-group name inside OUTSIDE-TO-INSIDE

policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class-type inspect OUTSIDE-T0-INSIDE-CLASS
inspect
class class-default
drop log


zone-pair security OUT-IN source out-zone destination in-zone
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY

Correct the 'Class map' syntax:
class-map type inspect match-all OUTSIDE-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE

Here you allowed all the mentioned ports from gi0/1 to both gi0/0 and gi0/2.
Try to be more specific, like you can assign gi0/2 to another zone (say 'zone security in-zone-2') and configure another zone pair.

Other configuration seems ok.Try this out and verify the result.

Regards,
Tony

_________________
http://yadhutony.blogspot.com

Hi Tony,
But the ACL only permits ports 80,3389,5060,5061 for 10.0.3.254
permit tcp any 10.0.3.254 0.0.0.0 eq www
permit tcp any 10.0.3.254 0.0.0.0 eq 3389
permit tcp any 10.0.3.254 0.0.0.0 eq 5060
permit tcp any 10.0.3.254 0.0.0.0 eq 5061

so wont that restrict all the other ports as the acls for the 10.0.0.0 has different ports opened
permit tcp any 10.0.0.0 0.0.0.255 eq ftp
permit tcp any 10.0.0.0 0.0.0.255 eq pop3
permit tcp any 10.0.0.0 0.0.0.255 eq 3389
permit tcp any 10.0.0.0 0.0.0.255 eq www
permit tcp any 10.0.0.0 0.0.0.255 eq 25
permit tcp any 10.0.0.0 0.0.0.255 eq 53
permit tcp any 10.0.0.0 0.0.0.255 eq 143
permit tcp any 10.0.0.0 0.0.0.255 eq 443

because in my network bot the gi0/0 and gi0/2 are part of the internal network and require interconnection especially for sip connectivity as gi0/2 is connected to a sip server.

secondly i realized that my 10.0.0.0 network requires different servers to have different ports opened so I came up with a modified configuration as below.
Or wil it be better that i create a separate ACL for each server and open all the respective ports such as (ACL 100 for 10.0.52 with ports 80,53,23,21,22 3389 and ACL 101 for 10.0.0.59 with ports 80,53,3389) and match to their respective class-maps which are then applied to a policy-map?


Zone security out-zone
zone security in-zone



interface gi0/1
Zone-member security out-zone



interface gi0/0
zone-member security in-zone



interface gi0/2
zone-member security in-zone
exit



zone-pair security OUT-IN source out-zone destination in-zone



ip access-list extended OUTSIDE-TO-INSIDE

permit tcp any host 10.0.0.50 eq www

permit tcp any host 10.0.0.50 eq 20:21

permit tcp any host 10.0.0.50 eq 25

permit tcp any host 10.0.0.50 eq 53

permit tcp any host 10.0.0.50 eq 110

permit tcp any host 10.0.0.50 eq 143

permit tcp any host 10.0.0.50 eq 443

permit tcp any host 10.0.0.50 eq 3389

permit tcp any host 10.0.0.50 eq www



permit tcp any host 10.0.0.52 eq www

permit tcp any host 10.0.0.52 eq 20:21

permit tcp any host 10.0.0.52 eq 25

permit tcp any host 10.0.0.52 eq 53

permit udp any host 10.0.0.52 eq 53

permit tcp any host 10.0.0.52 eq 110



permit tcp any host 10.0.0.52 eq 143

permit tcp any host 10.0.0.52 eq 443

permit tcp any host 10.0.0.52 eq 3389

permit tcp any host 10.0.0.52 eq www


permit tcp any host 10.0.0.23 eq www

permit tcp any host 10.0.0.23 eq 20:21

permit tcp any host 10.0.0.23 eq 25

permit tcp any host 10.0.0.23 eq 53

permit udp any host 10.0.0.23 eq 53

permit tcp any host 10.0.0.23 eq 110

permit tcp any host 10.0.0.23 eq 143

permit tcp any host 10.0.0.23 eq 443

permit tcp any host 10.0.0.23 eq 3389

permit tcp any host 10.0.0.23 eq www

permit tcp any host 10.0.0.23 eq 8080


permit tcp any host 10.0.0.59 eq www

permit tcp any host 10.0.0.59 eq 20:21

permit tcp any host 10.0.0.59 eq 25

permit tcp any host 10.0.0.59 eq 53

permit udp any host 10.0.0.59 eq 53

permit tcp any host 10.0.0.59 eq 110

permit tcp any host 10.0.0.59 eq 143

permit tcp any host 10.0.0.59 eq 443

permit tcp any host 10.0.0.59 eq 3389


permit tcp any host 10.0.0.61 eq www

permit tcp any host 10.0.0.61 eq 20:21

permit tcp any host 10.0.0.61 eq 25

permit tcp any host 10.0.0.61 eq 53

permit udp any host 10.0.0.61 eq 53

permit tcp any host 10.0.0.61 eq 110

permit tcp any host 10.0.0.61 eq 143

permit tcp any host 10.0.0.61 eq 443

permit tcp any host 10.0.0.61 eq 3389



permit tcp any host 10.0.0.228 eq www

permit tcp any host 10.0.0.228 eq 20:21

permit tcp any host 10.0.0.228 eq 25

permit tcp any host 10.0.0.228 eq 53

permit udp any host 10.0.0.228 eq 53

permit tcp any host 10.0.0.228 eq 110

permit tcp any host 10.0.0.228 eq 143

permit tcp any host 10.0.0.228 eq 443

permit tcp any host 10.0.0.228 eq 3389

permit tcp any host 10.0.0.58 eq 3389

permit tcp any host 10.0.0.33 eq 3389

permit tcp any host 10.0.0.25 eq 3389

permit tcp any host 10.0.0.44 eq 3389

permit tcp any host 10.0.0.251 eq 3389

permit tcp any host 10.0.0.21 eq 3389

permit tcp any host 10.0.0.22 eq 3389

permit tcp any host 10.0.0.24 eq 3389

permit tcp any host 10.0.0.16 eq 80

permit tcp any host 10.0.0.30 eq www

permit tcp any host 10.0.0.30 eq 3389

permit tcp any host 10.0.0.230 eq 3389


permit tcp any 10.0.3.254 0.0.0.0 eq www
permit tcp any 10.0.3.254 0.0.0.0 eq 3389
permit tcp any 10.0.3.254 0.0.0.0 eq 5060
permit tcp any 10.0.3.254 0.0.0.0 eq 5061


class-map type inspect match-all OUTSIDE-INSIDE-CLASS
match access-group name inside OUTSIDE-TO-INSIDE



policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class-type inspect OUTSIDE-T0-INSIDE-CLASS
inspect
class class-default
drop log




zone-pair security OUT-IN source out-zone destination in-zone
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
please advice!

Hello,

Your current configuration is OK. Here you can also put an Intra-zone policy (refer Cisco documents),by allowing only SIP between gi0/0 and gi0/2, since all the traffic inside a zone is allowed. But what I would suggest is to put a separate zones for better security and ease of management. Anyway you can try both and let me know the result.

Best Regards,
Tony

_________________
http://yadhutony.blogspot.com

Hello Tony,
I really appreciate your help, but I have some doubts I would like to have your view on:
1. I am not sure if it would be a better Idea to create multiple ACL's for each server, assign it to a class map and assign all the class maps to a policy map (below is an example of what I mean for two servers), instead of having a single ACL, wont a large ACL as the one I sent in my previous configuration affect my network ?

2. I read the documents on the Intra-zone policy but my question is wont my network in the inside zone have inter-connectivity since gi0/0 and gi0/2 are both part of the same zone? wont creating an intra-zone policy require me to permit sip access to and from gi0/0 and gi0/2 (ie 2 zone pairs) also I am not sure what ports I would need to permit for sip?.
would appreciate your response.

(sample configuration of what I mean by multiple ACLs for each server)

ip access-list extended OUTSIDE-TO-server52
permit tcp any host 10.0.0.52 eq www
permit tcp any host 10.0.0.52 eq 20:21
permit tcp any host 10.0.0.52 eq 25
permit tcp any host 10.0.0.52 eq 53
permit udp any host 10.0.0.52 eq 53
permit tcp any host 10.0.0.52 eq 110
permit tcp any host 10.0.0.52 eq 143
permit tcp any host 10.0.0.52 eq 443
permit tcp any host 10.0.0.52 eq 3389
permit tcp any host 10.0.0.52 eq www

ip access-list extended OUTSIDE-TO-server23
permit tcp any host 10.0.0.23 eq www
permit tcp any host 10.0.0.23 eq 20:21
permit tcp any host 10.0.0.23 eq 25
permit tcp any host 10.0.0.23 eq 53
permit udp any host 10.0.0.23 eq 53
permit tcp any host 10.0.0.23 eq 110
permit tcp any host 10.0.0.23 eq 143
permit tcp any host 10.0.0.23 eq 443
permit tcp any host 10.0.0.23 eq 3389
permit tcp any host 10.0.0.23 eq www
permit tcp any host 10.0.0.23 eq 8080

ip access-list extended OUTSIDE-TO-server59
permit tcp any host 10.0.0.59 eq www
permit tcp any host 10.0.0.59 eq 20:21
permit tcp any host 10.0.0.59 eq 25
permit tcp any host 10.0.0.59 eq 53
permit udp any host 10.0.0.59 eq 53

class-map type inspect match-all OUTSIDE-INSIDE-CLASS52
match access-group name inside OUTSIDE-TO-server52

class-map type inspect match-all OUTSIDE-INSIDE-CLASS23
match access-group name inside OUTSIDE-TO-server23

policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class-type inspect OUTSIDE-T0-INSIDE-CLASS52
inspect
class-type inspect OUTSIDE-T0-INSIDE-CLASS23
inspect

class class-default
drop log

Hello,

1. You can have multiple ACL's but what I would suggest is to sort the traffic based on protocols instead of creating a single ACL. Class map sorts the traffic based on two criteria a) protocols b) ACL's. For example your 50,52,23,61,59 servers need to be accessed via HTTPS. Here we can put the below configuration to sort & allow traffic based on HTTPS:

class-map type inspect match-all/any HTTPS-ACCESS
match protocol https
match access-group name HTTPS-SERVER-ACCESS

ip access-list extended HTTPS-SERVER-ACCESS
permit tcp any host 10.0.0.50 eq 443
permit tcp any host 10.0.0.52 eq 443
permit tcp any host 10.0.0.23 eq 443
permit tcp any host 10.0.0.61 eq 443
permit tcp any host 10.0.0.59 eq 443

Be careful while you put match statements

Quote:

match-all/any

(refer cisco documents)

2. By default all the traffic is allowed between gi0/0 and gi0/2 since both are in the same zone. If you want to allow only SIP and restrict all other traffic between these two interfaces you can put an Intra-zone access policy. Otherwise just leave it as it is. Personally I haven't worked with SIP but I found the below statement from Wikipedia regarding the sip port # :

Quote:

SIP clients typically use TCP or UDP on port numbers 5060 and/or 5061 to connect to SIP servers and other SIP endpoints. Port 5060 is commonly used for non-encrypted signaling traffic whereas port 5061 is typically used for traffic encrypted with Transport Layer Security (TLS).

Let me know how it works.

Best Regards,
Tony

_________________
http://yadhutony.blogspot.com

Hello Tony,
I configured my firewall the way you suggested but I came up with two issues issues: Firstly I realized that for the protocols like RDP that use the ports like 3389 or other registered ports I need to create user defined port mapping ie
ip port-map user-RDP port tcp 3389

and secondly in the command:
class-map type inspect match-all/any HTTPS-ACCESS
match protocol https
match access-group name HTTPS-SERVER-ACCESS

ip access-list extended HTTPS-SERVER-ACCESS
permit tcp any host 10.0.0.50 eq 443
permit tcp any host 10.0.0.52 eq 443
permit tcp any host 10.0.0.23 eq 443
permit tcp any host 10.0.0.61 eq 443
permit tcp any host 10.0.0.59 eq 443

The ACL statement "permit tcp any host 10.0.0.50 eq 443" permits port 443 on 10.0.0.50 so doesn't the second statement in the Class map "match protocol Https" repeat the statement?Will this not affect the performance of the network in any way?

Though here is the configuration I came up with based on your suggestion, I left the gi0/2 interface full out/in access as am not sure of what ports to open for now. Please let me know if I need to do anything on this configuration:.

Zone security out-zone
zone security in-zone
zone security teleworker

interface gi0/1
Zone-member security out-zone

interface gi0/0
zone-member security in-zone

interface gi0/2
zone-member security teleworker
exit

ip port-map user-RDP port tcp 3389

zone-pair security OUT-IN source out-zone destination in-zone
zone-pair security OUT-TELEWORKER source out-zone destination teleworker
zone-pair security TELEWORKER-OUT source teleworker destination out-zone

ip access-list extended OUTSIDE-TO-INSIDE-WEB
permit tcp any host 10.0.0.23 eq 80
permit tcp any host 10.0.0.59 eq 80
permit tcp any host 10.0.0.61 eq 80
permit tcp any host 10.0.0.228 eq 80
permit tcp any host 10.0.0.16 eq 80
permit tcp any host 10.0.0.30 eq 80

class-map type inspect match-all OUTSIDE-TO-INSIDE-WEB-CLASS
match protocol http
match access-group name OUTSIDE-TO-INSIDE-WEB

ip access-list extended OUTSIDE-TO-INSIDE-FTP
permit tcp any host 10.0.0.52 eq 20:21
permit tcp any host 10.0.0.23 eq 20:21
permit tcp any host 10.0.0.59 eq 20:21
permit tcp any host 10.0.0.61 eq 20:21
permit tcp any host 10.0.0.228 eq 20:21

class-map type inspect match-all OUTSIDE-TO-INSIDE-FTP-CLASS
match protocol ftp
match access-group name OUTSIDE-TO-INSIDE-FTP

ip access-list extended OUTSIDE-TO-INSIDE-SMTP
permit tcp any host 10.0.0.52 eq 25
permit tcp any host 10.0.0.23 eq 25
permit tcp any host 10.0.0.59 eq 25
permit tcp any host 10.0.0.61 eq 25
permit tcp any host 10.0.0.228 eq 25

class-map type inspect match-all OUTSIDE-TO-INSIDE-SMTP-CLASS
match protocol smtp
match access-group name OUTSIDE-TO-INSIDE-SMTP

ip access-list extended OUTSIDE-TO-INSIDE-DNS
permit tcp any host 10.0.0.23 eq 53
permit udp any host 10.0.0.23 eq 53
permit tcp any host 10.0.0.59 eq 53
permit udp any host 10.0.0.59 eq 53
permit tcp any host 10.0.0.61 eq 53
permit udp any host 10.0.0.61 eq 53
permit tcp any host 10.0.0.228 eq 53
permit udp any host 10.0.0.228 eq 53

class-map type inspect match-all OUTSIDE-TO-INSIDE-DNS-CLASS
match protocol dns
match access-group name OUTSIDE-TO-INSIDE-DNS

ip access-list extended OUTSIDE-TO-INSIDE-POP
permit tcp any host 10.0.0.52 eq 110
permit tcp any host 10.0.0.23 eq 110
permit tcp any host 10.0.0.59 eq 110
permit tcp any host 10.0.0.61 eq 110
permit tcp any host 10.0.0.228 eq 110

class-map type inspect match-all OUTSIDE-TO-INSIDE-POP-CLASS
match protocol pop
match access-group name OUTSIDE-TO-INSIDE-POP

ip access-list extended OUTSIDE-TO-INSIDE-IMAP
permit tcp any host 10.0.0.52 eq 143
permit tcp any host 10.0.0.23 eq 143
permit tcp any host 10.0.0.59 eq 143
permit tcp any host 10.0.0.61 eq 143
permit tcp any host 10.0.0.228 eq 143

class-map type inspect match-all OUTSIDE-TO-INSIDE-IMAP-CLASS
match protocol imap
match access-group name OUTSIDE-TO-INSIDE-IMAP

ip access-list extended OUTSIDE-TO-INSIDE-HTTPS
permit tcp any host 10.0.0.52 eq 443
permit tcp any host 10.0.0.23 eq 443
permit tcp any host 10.0.0.59 eq 443
permit tcp any host 10.0.0.61 eq 443
permit tcp any host 10.0.0.228 eq 443

class-map type inspect match-all OUTSIDE-TO-INSIDE-HTTPS-CLASS
match protocol https
match access-group name OUTSIDE-TO-INSIDE-HTTPS

ip access-list extended OUTSIDE-TO-INSIDE-RDP
permit tcp any host 10.0.0.52 eq 3389
permit tcp any host 10.0.0.23 eq 3389
permit tcp any host 10.0.0.59 eq 3389
permit tcp any host 10.0.0.61 eq 3389
permit tcp any host 10.0.0.228 eq 3389
permit tcp any host 10.0.0.58 eq 3389
permit tcp any host 10.0.0.33 eq 3389
permit tcp any host 10.0.0.25 eq 3389
permit tcp any host 10.0.0.44 eq 3389
permit tcp any host 10.0.0.251 eq 3389
permit tcp any host 10.0.0.21 eq 3389
permit tcp any host 10.0.0.22 eq 3389
ermit tcp any host 10.0.0.24 eq 3389
permit tcp any host 10.0.0.30 eq 3389
permit tcp any host 10.0.0.230 eq 3389

class-map type inspect match-all OUTSIDE-TO-INSIDE-RDP-CLASS
match protocol user-RDP
match access-group name OUTSIDE-TO-INSIDE-RDP

ip access-list extended TELEWORKER-TO-OUTSIDE
permit ip 10.0.3.254 any

class-map type inspect match-all TELEWORKER-TO-OUTSIDE-CLASS
match access-group name TELEWORKER-TO-OUTSIDE

ip access-list extended OUTSIDE-TO-TELEWORKER
permit ip any host 10.0.3.254

class-map type inspect match-all OUTSIDE-TO-TELEWORKER-CLASS
match access-group name OUTSIDE-TO-TELEWORKER


policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-WEB-CLASS
inspect

class type inspect OUTSIDE-TO-INSIDE-FTP-CLASS
inspect

class type inspect OUTSIDE-TO-INSIDE-SMTP-CLASS
inspect

class type inspect OUTSIDE-TO-INSIDE-DNS-CLASS
inspect


class type inspect OUTSIDE-TO-INSIDE-POP-CLASS
inspect

class type inspect OUTSIDE-TO-INSIDE-IMAP-CLASS
inspect

class type inspect OUTSIDE-TO-INSIDE-HTTPS-CLASS
inspect

class type inspect OUTSIDE-TO-INSIDE-RDP-CLASS
inspect


policy-map type inspect TELEWORKER-TO-OUTSIDE-POLICY
class type inspect TELEWORKER-TO-OUTSIDE-CLASS
inspect

policy-map type inspect OUTSIDE-TO-TELEWORKER-POLICY
class type inspect OUTSIDE-TO-TELEWORKER-CLASS
inspect

zone-pair security OUT-IN source out-zone destination in-zone
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY

zone-pair security OUT-TELEWORKER source out-zone destination teleworker
service-policy type inspect OUTSIDE-TO-TELEWORKER-POLICY

zone-pair security TELEWORKER-OUT source teleworker destination out-zone
service-policy type inspect TELEWORKER-TO-OUTSIDE-POLICY

Hello,


This is not an issue. Port mapping is clearly mentioned on the Cisco document which I provided to you.

There will not be any performance issue. From my understanding "match protocol https" look for tcp traffic to port 443 and the acl will restrict the traffic to the mentioned servers. But I need some clarification from an expert regarding this.

If you are not sure about the ports then you can go back to your previous configuration, add gi0/2 to 'zone security in-zone'.

Other configuration seems OK and you can proceed with that.
Let me see how it works.

Best Regards,
Tony

_________________
http://yadhutony.blogspot.com

I think I prefer this configuration specially for the fact that future modifications should be easier, I left the gi0/2 port completely open because I don't really need it at the moment and the current zone pair is what is actually required for the gi0/2, and so will only bother about the permit statements when I am going to use it. I will try this configuration on my router tomorrow and let you know how it goes.

If this works fine I intend to implement IPS but am pretty confused about IPS and how it works: what I want is to be receiving alerts when someone attempts to compromise my router and block them or perform necessary action. Is there any way to receive alerts on cisco via email or any such kind of feature as the equipment currently in place of the cisco router is a proprietory firewall and provides alerts via email when someone attempts to compromise the network and also details on what action was taken?
I really dont know how to thank you.Thanks alot.

Hello,

You are welcome

Regards,
Tony

_________________
http://yadhutony.blogspot.com

Hello Tony,
I have set up this configuration on my router and thanks to you it worked just as I wanted.
Please I need to configure a second router. what I want is such that the second router will be at a site in a second location such that remote users will come through an Ip provided through ISP to the router and from that router they will be directed to our current router network. I was thinking that NAT on a stick will be the solution but not too sure? I have gone through the Cisco documents on configuring Nat on a Stick but am also confused on how i will direct them to my network.
For example what i wan is this : a users used an IP of 4.4.4.2 and 4.4.4.3 and 4.4.4.4 and the ISP takes them to the Router R2(remote) from where the IP is translated to our current networks IPs respectively ie 4.4.4.2 goes to the 10.0.0.55 and 4.4.4.3 goes to the 10.0.0.52, an 4.4.4.4 goes to 10.0.0.23 etc. on the R1 through the internet?

Please would appreciate your response.

Please I have one problem coming up on my ZBF?
Everything works fine internally, but I have a website on the 10.0.0.52 server with the external IP of 216.140.140.4. When I tried to access It from the internet It doesn't work. Please do you have any ideas on what might be the issue here? Though If I use the IP 216.140.140.4 i can access the website, I suspected it is a DNS issue, so I enabled the Dns ports 53 on the 10.0.0.1 server still didnt work. It is an issue with the router because as soon as i replace with the proprietory firewall it works fine.
Please would appreciate your advice.

ip name server 10.0.0.1

Zone security out-zone
zone security in-zone
zone security teleworker

interface gi0/1
Zone-member security out-zone

interface gi0/0
zone-member security in-zone

interface gi0/2
zone-member security teleworker
exit

ip port-map user-RDP port tcp 3389

zone-pair security OUT-IN source out-zone destination in-zone
zone-pair security OUT-TELEWORKER source out-zone destination teleworker
zone-pair security TELEWORKER-OUT source teleworker destination out-zone

ip access-list extended OUTSIDE-TO-INSIDE-WEB
permit tcp any host 10.0.0.23 eq 80
permit tcp any host 10.0.0.59 eq 80
permit tcp any host 10.0.0.61 eq 80
permit tcp any host 10.0.0.228 eq 80
permit tcp any host 10.0.0.16 eq 80
permit tcp any host 10.0.0.30 eq 80

class-map type inspect match-all OUTSIDE-TO-INSIDE-WEB-CLASS
match protocol http
match access-group name OUTSIDE-TO-INSIDE-WEB

ip access-list extended OUTSIDE-TO-INSIDE-FTP
permit tcp any host 10.0.0.52 eq 20:21
permit tcp any host 10.0.0.23 eq 20:21
permit tcp any host 10.0.0.59 eq 20:21
permit tcp any host 10.0.0.61 eq 20:21
permit tcp any host 10.0.0.228 eq 20:21

class-map type inspect match-all OUTSIDE-TO-INSIDE-FTP-CLASS
match protocol ftp
match access-group name OUTSIDE-TO-INSIDE-FTP

ip access-list extended OUTSIDE-TO-INSIDE-SMTP
permit tcp any host 10.0.0.52 eq 25
permit tcp any host 10.0.0.23 eq 25
permit tcp any host 10.0.0.59 eq 25
permit tcp any host 10.0.0.61 eq 25
permit tcp any host 10.0.0.228 eq 25

class-map type inspect match-all OUTSIDE-TO-INSIDE-SMTP-CLASS
match protocol smtp
match access-group name OUTSIDE-TO-INSIDE-SMTP

ip access-list extended OUTSIDE-TO-INSIDE-DNS
permit tcp any host 10.0.0.23 eq 53
permit udp any host 10.0.0.23 eq 53
permit tcp any host 10.0.0.59 eq 53
permit udp any host 10.0.0.59 eq 53
permit tcp any host 10.0.0.61 eq 53
permit udp any host 10.0.0.61 eq 53
permit tcp any host 10.0.0.228 eq 53
permit udp any host 10.0.0.228 eq 53

class-map type inspect match-all OUTSIDE-TO-INSIDE-DNS-CLASS
match protocol dns
match access-group name OUTSIDE-TO-INSIDE-DNS

ip access-list extended OUTSIDE-TO-INSIDE-POP
permit tcp any host 10.0.0.52 eq 110
permit tcp any host 10.0.0.23 eq 110
permit tcp any host 10.0.0.59 eq 110
permit tcp any host 10.0.0.61 eq 110
permit tcp any host 10.0.0.228 eq 110

class-map type inspect match-all OUTSIDE-TO-INSIDE-POP-CLASS
match protocol pop
match access-group name OUTSIDE-TO-INSIDE-POP

ip access-list extended OUTSIDE-TO-INSIDE-IMAP
permit tcp any host 10.0.0.52 eq 143
permit tcp any host 10.0.0.23 eq 143
permit tcp any host 10.0.0.59 eq 143
permit tcp any host 10.0.0.61 eq 143
permit tcp any host 10.0.0.228 eq 143

class-map type inspect match-all OUTSIDE-TO-INSIDE-IMAP-CLASS
match protocol imap
match access-group name OUTSIDE-TO-INSIDE-IMAP

ip access-list extended OUTSIDE-TO-INSIDE-HTTPS
permit tcp any host 10.0.0.52 eq 443
permit tcp any host 10.0.0.23 eq 443
permit tcp any host 10.0.0.59 eq 443
permit tcp any host 10.0.0.61 eq 443
permit tcp any host 10.0.0.228 eq 443

class-map type inspect match-all OUTSIDE-TO-INSIDE-HTTPS-CLASS
match protocol https
match access-group name OUTSIDE-TO-INSIDE-HTTPS

ip access-list extended OUTSIDE-TO-INSIDE-RDP
permit tcp any host 10.0.0.52 eq 3389
permit tcp any host 10.0.0.23 eq 3389
permit tcp any host 10.0.0.59 eq 3389
permit tcp any host 10.0.0.61 eq 3389
permit tcp any host 10.0.0.228 eq 3389
permit tcp any host 10.0.0.58 eq 3389
permit tcp any host 10.0.0.33 eq 3389
permit tcp any host 10.0.0.25 eq 3389
permit tcp any host 10.0.0.44 eq 3389
permit tcp any host 10.0.0.251 eq 3389
permit tcp any host 10.0.0.21 eq 3389
permit tcp any host 10.0.0.22 eq 3389
ermit tcp any host 10.0.0.24 eq 3389
permit tcp any host 10.0.0.30 eq 3389
permit tcp any host 10.0.0.230 eq 3389

class-map type inspect match-all OUTSIDE-TO-INSIDE-RDP-CLASS
match protocol user-RDP
match access-group name OUTSIDE-TO-INSIDE-RDP

ip access-list extended TELEWORKER-TO-OUTSIDE
permit ip 10.0.3.254 any

class-map type inspect match-all TELEWORKER-TO-OUTSIDE-CLASS
match access-group name TELEWORKER-TO-OUTSIDE

ip access-list extended OUTSIDE-TO-TELEWORKER
permit ip any host 10.0.3.254

class-map type inspect match-all OUTSIDE-TO-TELEWORKER-CLASS
match access-group name OUTSIDE-TO-TELEWORKER


policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-WEB-CLASS
inspect

class type inspect OUTSIDE-TO-INSIDE-FTP-CLASS
inspect

class type inspect OUTSIDE-TO-INSIDE-SMTP-CLASS
inspect

class type inspect OUTSIDE-TO-INSIDE-DNS-CLASS
inspect


class type inspect OUTSIDE-TO-INSIDE-POP-CLASS
inspect

class type inspect OUTSIDE-TO-INSIDE-IMAP-CLASS
inspect

class type inspect OUTSIDE-TO-INSIDE-HTTPS-CLASS
inspect

class type inspect OUTSIDE-TO-INSIDE-RDP-CLASS
inspect


policy-map type inspect TELEWORKER-TO-OUTSIDE-POLICY
class type inspect TELEWORKER-TO-OUTSIDE-CLASS
inspect

policy-map type inspect OUTSIDE-TO-TELEWORKER-POLICY
class type inspect OUTSIDE-TO-TELEWORKER-CLASS
inspect

zone-pair security OUT-IN source out-zone destination in-zone
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY

zone-pair security OUT-TELEWORKER source out-zone destination teleworker
service-policy type inspect OUTSIDE-TO-TELEWORKER-POLICY

zone-pair security TELEWORKER-OUT source teleworker destination out-zone
service-policy type inspect TELEWORKER-TO-OUTSIDE-POLICY

Hi ahmedahmed.

First of all i would start with a recommendation to never give out your public ip on an internet forum. Especially not together with your security setup. Anonymise by replacing it with x.x.x.x or something.

After that you say that you cant access the site .52. On what port/protocol are you trying to reach it? I ask since i notice that the zbfw isnt configured to allow http/80 to it, but is configured for https/443.

Also if you access something directly via its ip address dns isnt involved at all.
Btw are you really hosting that many servers that provide public dns lookups? Otherwise im not sure why you would allow the outside to access them on port 53.

Hello,


As he said, DO NOT provide your public IP on any forums.

Coming to your questions,

Could you please elaborate this with a diagram?

So you can access .52 using RDP and FTP and not with https from Internet, right? Are you trying to access it with a domain name or IP address ? If you are using domain name, is it resolving to the correct IP?

Regards,
Tony

_________________
http://yadhutony.blogspot.com

Hello,
Yes I can access the .52 using RDP and FTP and I checked using a Port testing software and all the relevant ports are opened for outside users.
Also configured the ZBF to allow port 80, and I need users to access an Internal Website hosted on the .52 server both internally and from the Internet.

"And the provided public IP's are dummy IP's" not my real public IP


Below is my configuration I have broken down my configuration into three phases
1) NAT for two ISP's : one Primary and one for backup.
2)Zone Based Firewall (outside to inside)
3)Zone Based Firewall (inside to outside): done using CCP
My Nat is working perfectly fine, I configured the Outside to Inside Zone opening up the relevant ports, and all the right ports are opened, I used CCP to configure the Inside to Outside Zone because I am not sure of all the ports that would need to be opened and is pretty straight forward with CCP.

-My internal DNS server is 10.0.0.1 and configured properly because it is currently working with a proprietary Firewall.
-From inside to outside everything works fine.
-I can ping my DNS server from my router, I have opened port 53 for my DNS server on ZBF.
-I can Ping my website on my 10.0.0.52 webserver from my Router using its name ie ping www.aaa.com and it shows it to resolve to the correct Public IP and ping successful.
-From the Internet I can access the website from the external Ip address http://216.140.140.4 (10.0.0.52- 216.140.140.4) but not as http://www.aaa.com.
however cant get it with its name
-I dont have a Nat entry for my internal DNS server however I have opened up Port 53 for it on Zone Based Firewall.

Now I dont understand how to provide the static Translation as I dont need the DNS server to really access the Internet, or am i getting something wrong?
Please would appreciate your help.
Bellow is my configuration.


1) NAT:

track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!


interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map PRIVATE-INGRESS
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0/1
ip address 216.150.150.4 255.255.255.0 secondary
ip address 216.140.140.2 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat pool PRIMARY-POOL 216.140.140.2 216.140.140.2 prefix-length 27
ip nat pool SECONDARY-POOL 216.150.150.4 216.150.150.4 prefix-length 24
ip nat inside source route-map PRIMARY-NAT pool PRIMARY-POOL overload
ip nat inside source route-map SECONDARY-NAT pool SECONDARY-POOL overload
ip nat inside source static 10.0.0.52 216.140.140.4 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.53 216.140.140.5 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.59 216.140.140.6 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.61 216.140.140.7 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.228 216.140.140.8 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.16 216.140.140.11 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.30 216.140.140.12 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.251 216.140.140.13 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.44 216.140.140.15 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.54 216.140.140.16 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.23 216.140.140.17 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.58 216.140.140.18 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.230 216.140.140.19 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.216 216.140.140.21 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.220 216.140.140.22 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.33 216.140.140.25 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.21 216.140.140.26 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.22 216.140.140.27 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.24 216.140.140.28 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.25 216.140.140.29 route-map STATIC-NAT-PRIMARY
ip nat inside source static 10.0.0.59 216.150.150.5 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.52 216.150.150.6 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.53 216.150.150.7 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.16 216.150.150.8 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.58 216.150.150.9 route-map STATIC-NAT-SECONDARY
ip nat inside source static 10.0.0.61 216.150.150.11 route-map STATIC-NAT-SECONDARY
ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1
ip route 0.0.0.0 0.0.0.0 216.150.150.254 10
!
ip access-list standard DYNAMIC-PRIMARY
deny 10.0.0.24
deny 10.0.0.25
deny 10.0.0.30
deny 10.0.0.16
deny 10.0.0.22
deny 10.0.0.23
deny 10.0.0.21
deny 10.0.0.44
deny 10.0.0.33
deny 10.0.0.58
deny 10.0.0.59
deny 10.0.0.61
deny 10.0.0.54
deny 10.0.0.52
deny 10.0.0.53
deny 10.0.0.216
deny 10.0.0.220
deny 10.0.0.230
deny 10.0.0.228
deny 10.0.0.251
permit 10.0.0.0 0.255.255.255
ip access-list standard DYNAMIC-SECONDARY
permit 10.0.0.0 0.255.255.255
ip access-list standard PRIMARY-NEXT-HOP
permit 216.140.140.1
ip access-list standard SECONDARY-NEXT-HOP
permit 216.150.150.254
!
ip sla 1
icmp-echo 216.140.140.1 source-ip 216.140.140.2
threshold 2
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 216.150.150.254 source-ip 216.150.150.4
threshold 2
timeout 1000
frequency 3
ip sla schedule 2 life forever start-time now
!
!
!
!
route-map STATIC-NAT-PRIMARY permit 10
match ip next-hop PRIMARY-NEXT-HOP
!
route-map STATIC-NAT-PRIMARY deny 20
!
route-map STATIC-NAT-SECONDARY permit 10
match ip next-hop SECONDARY-NEXT-HOP
!
route-map STATIC-NAT-SECONDARY deny 20
!
route-map SECONDARY-NAT permit 10
match ip address DYNAMIC-SECONDARY
match ip next-hop SECONDARY-NEXT-HOP
!
route-map SECONDARY-NAT deny 20
!
route-map PRIVATE-INGRESS permit 10
set ip next-hop verify-availability 216.140.140.1 10 track 1
set ip next-hop verify-availability 216.150.150.254 20 track 2
!
route-map PRIVATE-INGRESS permit 11
!
route-map PRIMARY-NAT permit 10
match ip address DYNAMIC-PRIMARY
match ip next-hop PRIMARY-NEXT-HOP
!
route-map PRIMARY-NAT deny 20



2) OUTSIDE TO INSIDE ZONE (ZBF):

Zone security out-zone
zone security in-zone
zone security teleworker


interface gi0/1
Zone-member security out-zone


interface gi0/0
zone-member security in-zone


interface gi0/2
ip address 10.1.0.254 255.255.255.0
zone-member security teleworker
exit


ip name-server 10.0.0.1
ip port-map user-RDP port tcp 3389
ip port-map user-WEBB port tcp 8080


zone-pair security OUT-IN source out-zone destination in-zone
zone-pair security OUT-TELEWORKER source out-zone destination teleworker
zone-pair security TELEWORKER-OUT source teleworker destination out-zone


ip access-list extended OUTSIDE-TO-INSIDE-WEB
permit tcp any host 10.0.0.23 eq 80
permit tcp any host 10.0.0.59 eq 80
permit tcp any host 10.0.0.61 eq 80
permit tcp any host 10.0.0.228 eq 80
permit tcp any host 10.0.0.16 eq 80
permit tcp any host 10.0.0.30 eq 80
permit tcp any host 10.0.0.52 eq 80
permit tcp any host 10.0.0.55 eq 80


class-map type inspect match-all OUTSIDE-TO-INSIDE-WEB-CLASS
match protocol http
match access-group name OUTSIDE-TO-INSIDE-WEB


ip access-list extended OUTSIDE-TO-INSIDE-FTP
permit tcp any host 10.0.0.52 eq 20 21
permit tcp any host 10.0.0.23 eq 20 21
permit tcp any host 10.0.0.59 eq 20 21
permit tcp any host 10.0.0.61 eq 20 21
permit tcp any host 10.0.0.228 eq 20 21
permit tcp any host 10.0.0.55 eq 20 21


class-map type inspect match-all OUTSIDE-TO-INSIDE-FTP-CLASS
match protocol ftp
match access-group name OUTSIDE-TO-INSIDE-FTP


ip access-list extended OUTSIDE-TO-INSIDE-SMTP
permit tcp any host 10.0.0.52 eq 25
permit tcp any host 10.0.0.23 eq 25
permit tcp any host 10.0.0.59 eq 25
permit tcp any host 10.0.0.61 eq 25
permit tcp any host 10.0.0.228 eq 25
permit tcp any host 10.0.0.55 eq 25


class-map type inspect match-all OUTSIDE-TO-INSIDE-SMTP-CLASS
match protocol smtp
match access-group name OUTSIDE-TO-INSIDE-SMTP


ip access-list extended OUTSIDE-TO-INSIDE-DNS
permit tcp any host 10.0.0.23 eq 53
permit udp any host 10.0.0.23 eq 53
permit tcp any host 10.0.0.59 eq 53
permit udp any host 10.0.0.59 eq 53
permit tcp any host 10.0.0.61 eq 53
permit udp any host 10.0.0.61 eq 53
permit tcp any host 10.0.0.228 eq 53
permit udp any host 10.0.0.228 eq 53
permit tcp any host 10.0.0.52 eq 53
permit udp any host 10.0.0.52 eq 53
permit tcp any host 10.0.0.55 eq 53
permit udp any host 10.0.0.55 eq 53
permit tcp any host 10.0.0.1 eq 53
permit udp any host 10.0.0.1 eq 53




class-map type inspect match-all OUTSIDE-TO-INSIDE-DNS-CLASS
match protocol dns
match access-group name OUTSIDE-TO-INSIDE-DNS




ip access-list extended OUTSIDE-TO-INSIDE-HTTPS
permit tcp any host 10.0.0.52 eq 443
permit tcp any host 10.0.0.23 eq 443
permit tcp any host 10.0.0.59 eq 443
permit tcp any host 10.0.0.61 eq 443
permit tcp any host 10.0.0.228 eq 443
permit tcp any host 10.0.0.55 eq 443
permit tcp any host 10.0.0.53 eq 443




class-map type inspect match-all OUTSIDE-TO-INSIDE-HTTPS-CLASS
match protocol https
match access-group name OUTSIDE-TO-INSIDE-HTTPS


ip access-list extended OUTSIDE-TO-INSIDE-RDP
permit tcp any host 10.0.0.52 eq 3389
permit tcp any host 10.0.0.23 eq 3389
permit tcp any host 10.0.0.59 eq 3389
permit tcp any host 10.0.0.61 eq 3389
permit tcp any host 10.0.0.228 eq 3389
permit tcp any host 10.0.0.58 eq 3389
permit tcp any host 10.0.0.33 eq 3389
permit tcp any host 10.0.0.25 eq 3389
permit tcp any host 10.0.0.44 eq 3389
permit tcp any host 10.0.0.251 eq 3389
permit tcp any host 10.0.0.21 eq 3389
permit tcp any host 10.0.0.22 eq 3389
permit tcp any host 10.0.0.24 eq 3389
permit tcp any host 10.0.0.30 eq 3389
permit tcp any host 10.0.0.230 eq 3389
permit tcp any host 10.0.0.55 eq 3389
permit tcp any host 10.0.0.220 eq 3389
permit tcp any host 10.0.0.25 eq 3389


class-map type inspect match-all OUTSIDE-TO-INSIDE-RDP-CLASS
match protocol user-RDP
match access-group name OUTSIDE-TO-INSIDE-RDP


ip access-list extended OUTSIDE-TO-INSIDE-WEBB
permit tcp any host 10.0.0.23 eq 8080
permit tcp any host 10.0.0.228 eq 8080


class-map type inspect match-all OUTSIDE-TO-INSIDE-WEBB-CLASS
match protocol user-WEBB
match access-group name OUTSIDE-TO-INSIDE-WEBB




ip access-list extended TELEWORKER-TO-OUTSIDE
permit ip host 10.1.0.254 any


class-map type inspect match-all TELEWORKER-TO-OUTSIDE-CLASS
match access-group name TELEWORKER-TO-OUTSIDE


ip access-list extended OUTSIDE-TO-TELEWORKER
permit ip any host 10.1.0.254


class-map type inspect match-all OUTSIDE-TO-TELEWORKER-CLASS
match access-group name OUTSIDE-TO-TELEWORKER




policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-WEB-CLASS
inspect


class type inspect OUTSIDE-TO-INSIDE-WEBB-CLASS
inspect




class type inspect OUTSIDE-TO-INSIDE-FTP-CLASS
inspect


class type inspect OUTSIDE-TO-INSIDE-SMTP-CLASS
inspect


class type inspect OUTSIDE-TO-INSIDE-DNS-CLASS
inspect




class type inspect OUTSIDE-TO-INSIDE-HTTPS-CLASS
inspect


class type inspect OUTSIDE-TO-INSIDE-RDP-CLASS
inspect




policy-map type inspect TELEWORKER-TO-OUTSIDE-POLICY
class type inspect TELEWORKER-TO-OUTSIDE-CLASS
inspect


policy-map type inspect OUTSIDE-TO-TELEWORKER-POLICY
class type inspect OUTSIDE-TO-TELEWORKER-CLASS
inspect


zone-pair security OUT-IN source out-zone destination in-zone
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY


zone-pair security OUT-TELEWORKER source out-zone destination teleworker
service-policy type inspect OUTSIDE-TO-TELEWORKER-POLICY


zone-pair security TELEWORKER-OUT source teleworker destination out-zone
service-policy type inspect TELEWORKER-TO-OUTSIDE-POLICY




3) INSIDE TO OUTSIDE ZONE CONFIGURATION (USING CCP)

parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
exit
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
exit
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
exit
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
exit
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
exit
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
exit
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
exit
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
exit
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
exit
class-map type inspect match-all ccp-protocol-imap
match protocol imap
exit
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
exit
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
exit
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
exit
class-map type inspect aol match-any ccp-app-aol
match service text-chat
exit
class-map type inspect match-all ccp-protocol-http
match protocol http
exit
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
exit
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
exit
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
exit
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
exit
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
exit
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
exit
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
exit
class-map type inspect match-any ccp-sip-inspect
match protocol sip
exit
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
exit
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
exit
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
exit
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
exit
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
exit
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
exit
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
exit
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
exit
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
exit
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
exit
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
exit
class-map type inspect match-any ccp-h323-inspect
match protocol h323
exit
class-map type inspect imap match-any ccp-app-imap
match invalid-command
exit
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
exit
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
exit
exit
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
exit
class type inspect msnmsgr ccp-app-msn
log
allow
exit
class type inspect ymsgr ccp-app-yahoo
log
allow
exit
class type inspect aol ccp-app-aol-otherservices
log
reset
exit
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
exit
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
exit
exit
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
exit
class type inspect http ccp-app-httpmethods
log
reset
exit
class type inspect http ccp-http-allowparam
log
allow
exit
exit
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
exit
class type inspect edonkey ccp-app-edonkeydownload
log
allow
exit
class type inspect fasttrack ccp-app-fasttrack
log
allow
exit
class type inspect gnutella ccp-app-gnutella
log
allow
exit
class type inspect kazaa2 ccp-app-kazaa2
log
allow
exit
exit
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
exit
exit
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
no drop
inspect
exit
class class-default
no drop
pass
exit
exit
policy-map type inspect ccp-permit
class class-default
exit
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
exit
class type inspect ccp-protocol-http
no drop
inspect
service-policy http ccp-action-app-http
exit
class type inspect ccp-protocol-imap
no drop
inspect
service-policy imap ccp-action-imap
exit
class type inspect ccp-protocol-pop3
no drop
inspect
service-policy pop3 ccp-action-pop3
exit
class type inspect ccp-protocol-p2p
no drop
inspect
service-policy p2p ccp-action-app-p2p
exit
class type inspect ccp-protocol-im
no drop
inspect
service-policy im ccp-action-app-im
exit
class type inspect ccp-insp-traffic
no drop
inspect
exit
class type inspect ccp-sip-inspect
no drop
inspect
exit
class type inspect ccp-h323-inspect
no drop
inspect
exit
class type inspect ccp-h323annexe-inspect
no drop
inspect
exit
class type inspect ccp-h225ras-inspect
no drop
inspect
exit
class type inspect ccp-h323nxg-inspect
no drop
inspect
exit
class type inspect ccp-skinny-inspect
no drop
inspect
exit
exit
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
exit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
exit
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
exit

Hi ahmedahmed,

Since you can access .52 using RDP,FTP as well as http using pubic IP it is very clear that the problem is not with the ZBFW.
Do you have a registered domain name ? If so is it working correctly from Internet? Try to resolve the domain name from internet and see whether it resolves to the correct IP. Also can u access .52 using ftp://aaa.com ?

Why did you allow port 53 from outside to inside ? Do you really want public to access your internal DNS server from outside?

Regards,
Tony

_________________
http://yadhutony.blogspot.com

Hi Tony,
Thanks alot for your reply,
I just created a static port entry for port 53 to my DNS server and got it working.
So now I can access my website.
Ok i will also remove the DNS ports access for outside users.
Thanks.
Please are you familiar with IPS, as that is the next thing I want to set up on my router?

Hi ahmedahmed,

Happy to hear that it is working.
Refer these documents for IPS http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_ios_ips/configuration/15-1mt/sec-cfg-ips.html#GUID-11DC7F04-F430-4226-9E75-2E7E5B3A8DB3 , http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd805c4ea8.html. I hope this may help you. If you find any difficulty feel free to start a new thread.

Regards,
Tony

_________________
http://yadhutony.blogspot.com