https://community.cisco.com/t5/network-security/unable-to-access-1811w-router-from-the-internet/m-p/1494032#M712115 <HTML><HEAD></HEAD><BODY><P>You can try to capture packets to the router. If you can ping it and you see no SYN-ACK coming back probably the router is dropping traffic and it is&nbsp; ZBF.</P><P>The "sh log | i FW" will show you what ZBF says for packets it sees and drops.</P><P></P><P>PK</P></BODY></HTML> Thu, 06 May 2010 17:13:10 GMT Panos Kampanakis 2010-05-06T17:13:10Z https://community.cisco.com/t5/network-security/unable-to-access-1811w-router-from-the-internet/m-p/1494027#M712110 <P>I am having an unusual issue.&nbsp; I think I set up the zone security correctly to permit any IP from the out-zone to connect to the router via SSH and HTTPS, but my connections from the out-zone just time out.&nbsp; The relevant portions of the config is attached.&nbsp; Please help, I have been banging my head on the wall regarding this for some time now.&nbsp; Thanks.</P> Mon, 11 Mar 2019 17:41:40 GMT https://community.cisco.com/t5/network-security/unable-to-access-1811w-router-from-the-internet/m-p/1494027#M712110 kietung888 2019-03-11T17:41:40Z https://community.cisco.com/t5/network-security/unable-to-access-1811w-router-from-the-internet/m-p/1494028#M712111 <HTML><HEAD></HEAD><BODY><DIV class="jive-rendered-content"><P>Your out to self zone pair seems to be inspecting tcp ports 22 and 443, so it all looks fine!</P><P>I am not sure why it is failing.</P><P>Maybe no self signed cert on the router?</P><P>You can also enable "ip inspect log drop" and check the logs to see if ZBF is for some reason dropping your TCP conn attempts.</P><P></P><P>I hope it helps you move forward.</P><P></P><P>PK</P></DIV></BODY></HTML> Wed, 05 May 2010 21:07:14 GMT https://community.cisco.com/t5/network-security/unable-to-access-1811w-router-from-the-internet/m-p/1494028#M712111 Panos Kampanakis 2010-05-05T21:07:14Z https://community.cisco.com/t5/network-security/unable-to-access-1811w-router-from-the-internet/m-p/1494029#M712112 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you want to manage the router using ssh/telnet/http, you need to define the traffic under out-to-self policy. Please make the following changes:</P><P></P><P>class-map type inspect match-any manage<BR /> match protocol tcp<BR />policy-map type inspect ccp-permit <BR /> class type inspect manage<BR />&nbsp; inspect<BR />no class type inspect sdm-cls-ccp-permit-3 <BR />no class type inspect SDM_VPN_PT&nbsp; <BR />no class type inspect RemoteConnections<BR />class type inspect sdm-cls-ccp-permit-3<BR />&nbsp; inspect <BR /> class type inspect SDM_VPN_PT<BR />&nbsp; inspect <BR /> class type inspect RemoteConnections<BR />&nbsp; inspect</P><P></P><P>If it still fails, enable "ip inspect log drop-pkt" and send me the logs so that we can see in which class the traffic gets dropped.</P><P></P><P>HTH</P><P></P><P>Ashu</P></BODY></HTML> Wed, 05 May 2010 21:15:23 GMT https://community.cisco.com/t5/network-security/unable-to-access-1811w-router-from-the-internet/m-p/1494029#M712112 astripat 2010-05-05T21:15:23Z https://community.cisco.com/t5/network-security/unable-to-access-1811w-router-from-the-internet/m-p/1494030#M712113 <HTML><HEAD></HEAD><BODY><P>Thanks for looking at the config.&nbsp; Did some more testing and even when I remove the interface from the zones and used the traditional acl based method of inspection, it still did not work.&nbsp; I used the following:</P><P></P><P>ip inspect test01</P><P>inspect tcp</P><P>inspect udp</P><P>inspect icmp</P><P></P><P>ip access-list ext test02 permit tcp any any eq 22</P><P>ip access-list ext test02 permit tcp any any eq 443</P><P></P><P>int fa0</P><P>ip nat outside</P><P>ip access-group test02 in</P><P>ip inspect test01 out</P><P></P><P>int bvi1</P><P>ip nat inside</P><P></P><P></P><P>I even tried opening everything from out-zone to self and it didn't work as well.&nbsp; Even tried upgrading the IOS to the 15 line.&nbsp; I could SSH and SSL VPN to the router from inside so I do not think it is an issue with the certificate.</P><P></P><P>Pretty sure the problem is not with the circuit.&nbsp; We upgraded to business class cable modem and even when I connected a laptop directly to the outside interface of the router, I was still not able to connect.&nbsp; Has anyone seen this before?&nbsp; Could it be defective hardware?</P></BODY></HTML> Wed, 05 May 2010 21:16:55 GMT https://community.cisco.com/t5/network-security/unable-to-access-1811w-router-from-the-internet/m-p/1494030#M712113 kietung888 2010-05-05T21:16:55Z https://community.cisco.com/t5/network-security/unable-to-access-1811w-router-from-the-internet/m-p/1494031#M712114 <HTML><HEAD></HEAD><BODY><P>I think that is how I have it configured currently.&nbsp; Here is an excerpt from my config:</P><P></P><P></P><P>zone-pair security ccp-zp-out-self source out-zone destination self<BR /> service-policy type inspect ccp-permit</P><P></P><P>policy-map type inspect ccp-permit<BR /> class type inspect sdm-cls-ccp-permit-3<BR />&nbsp; inspect <BR /> class type inspect SDM_VPN_PT<BR />&nbsp; inspect <BR /> class type inspect RemoteConnections<BR />&nbsp; inspect <BR /> class class-default<BR />&nbsp; drop</P><P></P><P>class-map type inspect match-any RemoteConnections<BR /> match access-group 113</P><P></P><P>access-list 113 permit tcp any any eq 22<BR />access-list 113 permit tcp any any eq 443</P><P></P><P>class-map type inspect match-all sdm-cls-ccp-permit-3<BR /> match class-map ICMPAllow<BR /> match access-group name AllowICMP</P><P></P><P>ip access-list extended AllowICMP<BR /> remark CCP_ACL Category=128<BR /> permit ip any any</P><P></P><P>class-map type inspect match-any ICMPAllow<BR /> match protocol icmp</P><P></P><P>class-map type inspect match-all SDM_VPN_PT<BR /> match access-group 103</P><P></P><P>access-list 103 permit ip host x.x.x.x any</P><P></P><P></P><P>I was unable to inspect a class map that matched a protocol to the self zone.&nbsp; So I had to create an ACL to perform that function.&nbsp; At one point, I changed access-list 113 to permit ip any any and it still did not work.&nbsp; Ip inspect log drop-pkt is enabled, I will have to gather up the logs the next time I am there.</P><P></P><P>Any other thoughts?</P></BODY></HTML> Wed, 05 May 2010 21:32:16 GMT https://community.cisco.com/t5/network-security/unable-to-access-1811w-router-from-the-internet/m-p/1494031#M712114 kietung888 2010-05-05T21:32:16Z https://community.cisco.com/t5/network-security/unable-to-access-1811w-router-from-the-internet/m-p/1494032#M712115 <HTML><HEAD></HEAD><BODY><P>You can try to capture packets to the router. If you can ping it and you see no SYN-ACK coming back probably the router is dropping traffic and it is&nbsp; ZBF.</P><P>The "sh log | i FW" will show you what ZBF says for packets it sees and drops.</P><P></P><P>PK</P></BODY></HTML> Thu, 06 May 2010 17:13:10 GMT https://community.cisco.com/t5/network-security/unable-to-access-1811w-router-from-the-internet/m-p/1494032#M712115 Panos Kampanakis 2010-05-06T17:13:10Z