https://community.cisco.com/t5/network-security/ios-firewall-what-is-this-class-map-doing/m-p/2113474#M394976 <HTML><HEAD></HEAD><BODY><P>Hello Colin,</P><P></P><P>But I think I should be setting this to <STRONG style="border-collapse: collapse; list-style: none;">match-all </STRONG>and not match-any if I want it to allow the ssh protocol from only my IP, correct? </P><P>Exactly you are getting it now <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> It needs to be a match all....</P><P></P><P>Regarding the ACL should be like this:</P><P></P><P>access-list SSH</P><P>permit tcp host outside_user_ip host router_outside_interface eq 22</P><P></P><P></P><P>Regards,</P></BODY></HTML> Thu, 29 Nov 2012 01:33:54 GMT Julio Carvajal 2012-11-29T01:33:54Z https://community.cisco.com/t5/network-security/ios-firewall-what-is-this-class-map-doing/m-p/2113473#M394975 <P>Hi, a few weeks ago I set up a class map but now as I am finding time to review my config, I am wondering what effect this has.&nbsp; It is applied to a policy map for ssh access from the Internet to the router for management: </P><P></P><P>class-map type inspect <STRONG>match-any </STRONG>SSH</P><P>match protocol ssh</P><P>match access-group name SSH</P><P></P><P>The access list with the name "SSH" just allows certain public IP network blocks.&nbsp; </P><P></P><P>But I think I should be setting this to <SPAN style="text-decoration: underline;"><STRONG>match-all</STRONG></SPAN> and not match-any if I want it to allow the ssh protocol from only my IP, correct?&nbsp; </P><P></P><P>Also just to ensure I am not confused about proper creation of the ACL.&nbsp; The ACL with the name SSH I've given is as follows: </P><P></P><P>ip access-list extended SSH</P><P>permit tcp xx.xx.0.0 0.255.255.255 any eq 22</P><P>permit tcp xx.xx.0.0 0.7.255.255 any eq 22</P><P>permit tcp xx.xx.0.0 0.255.255.255 any eq 22</P><P></P><P>First, am I being redundant in the class map by telling it to match protocol ssh and also specifiying port 22 in the ACL? And, is this ACL readout done properly if I want only certain IP blocks to be able to come in from the Internet, to the router, using ssh?&nbsp; </P><P></P><P>\</P> Tue, 12 Mar 2019 00:29:39 GMT https://community.cisco.com/t5/network-security/ios-firewall-what-is-this-class-map-doing/m-p/2113473#M394975 cluovpemb 2019-03-12T00:29:39Z https://community.cisco.com/t5/network-security/ios-firewall-what-is-this-class-map-doing/m-p/2113474#M394976 <HTML><HEAD></HEAD><BODY><P>Hello Colin,</P><P></P><P>But I think I should be setting this to <STRONG style="border-collapse: collapse; list-style: none;">match-all </STRONG>and not match-any if I want it to allow the ssh protocol from only my IP, correct? </P><P>Exactly you are getting it now <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> It needs to be a match all....</P><P></P><P>Regarding the ACL should be like this:</P><P></P><P>access-list SSH</P><P>permit tcp host outside_user_ip host router_outside_interface eq 22</P><P></P><P></P><P>Regards,</P></BODY></HTML> Thu, 29 Nov 2012 01:33:54 GMT https://community.cisco.com/t5/network-security/ios-firewall-what-is-this-class-map-doing/m-p/2113474#M394976 Julio Carvajal 2012-11-29T01:33:54Z https://community.cisco.com/t5/network-security/ios-firewall-what-is-this-class-map-doing/m-p/2113475#M394977 <HTML><HEAD></HEAD><BODY><P> Ok I set it to match-all.&nbsp; However with the ACL, my office connection is on dynamic IP and so my ISP asigns IP in the address blocks that I've put into there.&nbsp; </P><P></P><P>But now for the part about the router_outside_interface.&nbsp; Setting this instead of saying "any" won't have problems iwth say, VPN or NAT or whatever else?&nbsp; it's simplying saying that ssh will go to the outside interface and that's that?&nbsp; </P></BODY></HTML> Fri, 30 Nov 2012 17:54:38 GMT https://community.cisco.com/t5/network-security/ios-firewall-what-is-this-class-map-doing/m-p/2113475#M394977 cluovpemb 2012-11-30T17:54:38Z https://community.cisco.com/t5/network-security/ios-firewall-what-is-this-class-map-doing/m-p/2113476#M394978 <HTML><HEAD></HEAD><BODY><P>Hello Colin,</P><P></P><P>So dinamic Ip address ,got it.. Then you will need to do it as you have it before...</P><P></P><P>Correct,as it will be from out to self</P><P></P><P>Regards,</P><P></P><P>Remember to rate all of the helpful posts</P></BODY></HTML> Fri, 30 Nov 2012 19:28:18 GMT https://community.cisco.com/t5/network-security/ios-firewall-what-is-this-class-map-doing/m-p/2113476#M394978 Julio Carvajal 2012-11-30T19:28:18Z