League of Legends and Cisco Zone-Based Firewall

Comment below rating threshold, click here to show it.

TimHaynous

Junior Member

05-01-2013

I created this thread for people like me who have roommates who play LoL (or network engineers who actually play the game) and need a way to get the game to work on their ISR G2 router (like a Cisco 861, 881, 891, 1921, etc.) since port forwarding isn't done on a simple GUI interface.

There are a few ways I found to do this on the internets, mostly by doing some sort of NAT workaround, or disabling the zone-based firewall completely. Obviously this would suck to stick in 500+ statements for EVERY machine that needed to play LoL, and I didn't want to completely remove the firewall config, so I wanted to figure out the right way to do this.

To fully understand this, you probably need a minimum of a CCNA (for routing and switching) and CCNA Security certifications. For reference, my router an 861 running IOS 12.4(22)T4. The base firewall configuration was done from Cisco Configuration Professional (because I'm lazy) using the "Low" security setting (so things like torrents and IM clients still work).

After doing the base config and running CCP to add the firewall config, I went to firebind.com to find out why LoL still didn't work and found that TCP port 2099 was not opening properly.

This guide will focus on how I got port 2099 to work, but can be used as a template for doing any other type of "port-forwarding" on a real Cisco router.

Obviously, since this guide is for a zone-based firewall, it does not apply to older routers that can only do the Classic Firewall.

This guide is written in a top-down format; if you prefer bottom-up, start at the bottom of the post

For reference, the interface configurations:
interface FastEthernet4
ip address dhcp
ip nat outside
zone-member security out-zone

interface Vlan1
ip address 10.0.1.1 255.255.255.0
ip nat inside
zone-member security in-zone

As you can see from above, Vlan1 is my NAT inside and my internal network pool, and also a member of the zone named "in-zone". The Fa4 is my untrusted NAT outside interface, connected to Comcast with a DHCP address and a member of the zone named "out-zone".

The zone pairs:
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn

As you can see, the traffic flowing from inside to outside is using the ccp-inspect policy map, and traffic from outside to inside is using the ccp-pol-outToIn policy map.

For the sake of brevity, here is only what I added to those policy maps:
policy-map type inspect ccp-inspect
class type inspect LOL-in2out-CM
pass
policy-map type inspect ccp-pol-outToIn
class type inspect LOL-out2in-CM
pass

Obviously, I could have implemented it using a single class map for both directions, but I chose to implement it with two class maps.

Here are how the class maps are configured:
class-map type inspect match-any LOL-in2out-CM
match access-group name LOL-in2out-AL
class-map type inspect match-any LOL-out2in-CM
match access-group name LOL-out2in-AL

So I'm matching based on the access lists shown above. Once again, I could have done this with a single access list, but I made a design decision to use two access lists.

Lastly, here are the access lists:
ip access-list extended LOL-in2out-AL
permit tcp any host 216.133.234.22 eq 2099
ip access-list extended LOL-out2in-AL
permit tcp host 216.133.234.22 eq 2099 any

So I am permitting port 2099 ONLY to the LoL PVP server in North America. The only potential security threat that I foresee with this implementation is that a packet with packet with a spoofed IP address of the LoL NA server could come in, but they would have to know exactly which port gets mapped to the end client, and since everything is NAT'd, that would be difficult to guess, and even if they could... what would they do? I suppose it's technically still a "security threat", but not a big one - technically that threat is even worse on a SOHO router which will just blindly open that port to anyone, so I don't think this is too bad.

For reference, I am attaching my whole config (with any private information removed) so that you can see the whole firewall config, or you just want a good way to get an 861 up and running with basic security.

And if anyone wants to point out that I'm using unencrypted passwords... it's my network, I'll do as I please.


Comment below rating threshold, click here to show it.

slingrrr

Junior Member

05-04-2013

This is awesome. I recently threw in a 2811 as my edge at home and have been missing out on LoL all week until I had the time to look up the proper rules configurations. Thanks a tonne TimHaynous!


Comment below rating threshold, click here to show it.

Tohsh

Junior Member

09-19-2014

Thank you TimHaynous, you are the man!