topic Zone Based FW & SFTP in Network Security

Zone Based FW & SFTP

James Walsh — Mon, 11 Mar 2019 20:11:11 GMT

I have successfully depoyed a zone based firewall on an ISR and almost everything is working great. The only problem I am having is with SFTP not working. Any thoughts? Here is my config.

class-map type inspect match-any inside-outside-cmap

match protocol dns

match protocol http

match protocol https

match protocol ftp

match protocol icmp

policy-map type inspect inside-outside-pmap

class type inspect inside-outside-cmap

inspect

class class-default

drop

zone security outside

zone security inside

zone-pair security inside-outside source inside destination outside

service-policy type inspect inside-outside-pmap

Re: Zone Based FW & SFTP

padatta — Wed, 23 Mar 2011 09:46:37 GMT

Hi,

sFTP would use port 22 and all traffic would be encrypted. So the firewall will be unable to inspect this traffic.

Rather, lets try to 'pass' this traffic.

------------------------------

access-list 150 permit tcp any any eq 22

access-list 151 permit tcp any eq 22 any

class-map type inspect match-any sftp

match access-group 150

class-map type inspect sftp_return

match access-group 151

policy-map type inspect inside-outside-pmap

class type inspect sftp

pass

policy-map type inspect outside-sftp-inside

class type inspect sftp_return

pass

zone-pair security outside-inside source outside destination inside

service-policy type inspect outside-sftp-inside

end

------------------------------

Paps

Re: Zone Based FW & SFTP

James Walsh — Wed, 23 Mar 2011 16:38:18 GMT

Thanks Paps. I appled the class maps & rules you suggested and then applied them to my policy maps and all is fine... but here's the interesting thing.

they are running sftp on port 21 and I had the allowed in previous map, but it wasn't working and every time the kicked off a transfer it caused the router to crash. bug?

I added the rule you suggested but used port 21 and all is good. I am not sure why the router would crash. do you think it has something to do with trying to inspect and encrypted packed on an allowed port? new config.

access-list 150 permit tcp any any eq ftp

access-list 151 permit tcp any eq ftp any

class-map type inspect match-any sftp

match access-group 150

class-map type inspect match-all inside-outside-vpn-cmap

match access-group 111

class-map type inspect match-any sftp_return

match access-group 151

class-map type inspect match-any inside-outside-cmap

match protocol dns

match protocol http

match protocol https

match protocol ftp

match protocol icmp

match protocol tcp

match protocol pop3

match protocol udp

policy-map type inspect inside-outside-vpn-pmap

class type inspect sftp_return

pass

class type inspect inside-outside-vpn-cmap

inspect

class class-default

drop

policy-map type inspect inside-outside-pmap

class type inspect sftp

pass

class type inspect inside-outside-cmap

inspect

class class-default

drop

zone security outside

zone security inside

zone-pair security inside-outside source inside destination outside

service-policy type inspect inside-outside-pmap

zone-pair security outside-inside source outside destination inside

service-policy type inspect inside-outside-vpn-pmap

Re: Zone Based FW & SFTP

padatta — Thu, 24 Mar 2011 07:11:55 GMT

Hi James,

It seems the crash is related to inspecting encrypted traffic. But it could be for other reasons as well.

Here is a known issue though.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti67905

Would be best to open a TAC case to get to the root cause.

Thanks,

Paps