What does "ret_val 5" mean when using SSH and NAT

pbratach1 — Tue, 12 Mar 2019 03:11:40 GMT

Hi,

I have a CIsco 2921 running IOS 15.3-3.M1. I am trying to create a zone based firewall rule to permit ssh traffic from any host outside my network to use NAT to forward port 8222 to 22 to connect to a specific server inside my network (192.168.10.10). The GigabitEthernet 0/0 address of my 2921 is 123.123.123.93 (I've modified the first 3 octets for this post) with netmask 255.255.255.252. Our Comcast modem is at IP address 123.123.123.94.

My class-map, policy-map and zone information are:

class-map type inspect match-any OUTSIDE_TO_INSIDE

description Outside to Inside traffic

match access-group name outside_to_inside

class-map type inspect match-any INSIDE_TO_OUTSIDE

match protocol dns

match protocol icmp

match protocol https

match protocol http

match protocol ssh

policy-map type inspect OUTSIDE_TO_INSIDE

description Outside to Inside traffic

class type inspect OUTSIDE_TO_INSIDE

inspect

class class-default

drop

policy-map type inspect INSIDE_TO_OUTSIDE

description Inside to Outside traffic

class type inspect INSIDE_TO_OUTSIDE

inspect

class class-default

drop log

zone security INSIDE

description Office LAN

zone security OUTSIDE

description Internet

zone-pair security OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE

service-policy type inspect OUTSIDE_TO_INSIDE

zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE

service-policy type inspect INSIDE_TO_OUTSIDE

My interface configuration is:

interface Embedded-Service-Engine0/0

no ip address

shutdown

interface GigabitEthernet0/0

description $FW_OUTSIDE$

ip address 123.123.123.93 255.255.255.252

ip nat outside

ip virtual-reassembly in

zone-member security OUTSIDE

duplex auto

speed auto

interface GigabitEthernet0/1

description $FW_INSIDE$

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security INSIDE

duplex auto

speed auto

interface GigabitEthernet0/2

description $FW_INSIDE$

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security INSIDE

duplex auto

speed auto

no mop enabled

interface Vlan1

no ip address

shutdown

My NAT information is:

ip nat inside source list 101 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.10.10 22 interface GigabitEthernet0/0 8222

ip route 0.0.0.0 0.0.0.0 123.123.123.94

My access-list information is:

ip access-list extended outside_to_inside

permit tcp any any eq 8222

permit tcp any eq 8222 any

permit tcp any any eq 22

permit tcp any eq 22 any

access-list 101 permit ip any any

When I try to ssh to 123.123.123.93 using the command "telnet 123.123.123.93 8222", I receive the following error on the router:

Dec 2 23:09:36.191: FIREWALL*: NEW PAK 30948028 (0:123.123.123.94:45648) (0:192.168.10.10:22) tcp

Dec 2 23:09:36.191: FIREWALL*: PASS 0x1B feature object found

Dec 2 23:09:36.191: FIREWALL*: ret_val 5 is not PASS_PAK

Dec 2 23:09:36.607: FIREWALL: FW CCE got packet 0x306BD97C in process path

Dec 2 23:09:36.607: FIREWALL: ret_val 0 is not PASS_PAK

Dec 2 23:09:36.607: FIREWALL: Router gen or router destined pak 0x306BD97C, let it pass

The NAT configuration looks good:

dts2921#sho ip nat trans

Pro Inside global Inside local Outside local Outside global

tcp 123.123.123.93:8222 192.168.10.10:22 123.123.123.94:45649 123.123.123.94:45649

tcp 123.123.123.93:8222 192.168.10.10:22 --- ---

tcp 123.123.123.93:1723 192.168.10.10:1723 --- ---

However, the telnet returns without connecting to the 192.168.10.10 server.

I have not found anything helpful to determine what this means when searching Google. Can someone please help me understand this and also how to configure my firewall to make this work. Any help will be greatly appreciated.

Thanks,

Paul

Message was edited by: Paul Bratach Pasted the actual interface configuration, since I pasted the map and zone information twice by mistake.

What does "ret_val 5" mean when using SSH and NAT

lcambron — Tue, 03 Dec 2013 18:01:55 GMT

Hello Paul,

I could not find what it means either, however I can see from out to in you configured a "pass" action and from inside to outside a inspect action.

You need to either configure pass for both directions or configure inspect in the direction the connection is started.

Can you try this:

policy-map type inspect OUTSIDE_TO_INSIDE

class type inspect OUTSIDE_TO_INSIDE

no pass

inspect

Regards,

Felipe.

Remember to rate useful posts.

What does "ret_val 5" mean when using SSH and NAT

pbratach1 — Mon, 09 Dec 2013 21:14:41 GMT

Felipe,

Thanks for the reply. I was able to get it working by changing my access list from:

ip access-list extended outside_to_inside

permit tcp any any eq 8222

permit tcp any eq 8222 any

permit tcp any any eq 22

permit tcp any eq 22 any

to:

ip access-list extended outside_to_inside

permit tcp any host 192.168.10.10 eq 22

Thanks for your help.

Paul

What does "ret_val 5" mean when using SSH and NAT

Julio Carvajal — Tue, 10 Dec 2013 01:03:10 GMT

Hello Paul,

I was going to suggest you that :

" Remove the ACL and create a new one pointing to the private address space as ZBFW checks any NAT and ACL before the Inspection"

That being said it should also have worked before as you had:

permit tcp any any eq 22

Which matches the traffic but the FW might got a weird behavior with the configuration you posted.

At least you know now, always point to the private one

Please mark the question as answered

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

topic What does "ret_val 5" mean when using SSH and NAT in Network Security

What does "ret_val 5" mean when using SSH and NAT

What does "ret_val 5" mean when using SSH and NAT

What does "ret_val 5" mean when using SSH and NAT

What does "ret_val 5" mean when using SSH and NAT