topic Re: How to allow SSH into Zone Based Firewall? in Network Security

How to allow SSH into Zone Based Firewall?

mramirez — Mon, 11 Mar 2019 15:08:32 GMT

I am stuck in trying to figure out on how to allow a ssh connection from the outside to the wan uplink on my firwall. I just recently converted to the zone based. I have tried adding all different types of ways but no luck. Can someone help me out?

Let's say I wanted to configure a specific ip address from the internet to access the router only thru ssh.

Re: How to allow SSH into Zone Based Firewall?

Thotsaphon Lueangwattanaphong — Sun, 22 Mar 2009 18:15:31 GMT

Hi MANNY,

Just add commands I provided.

class-map type inspect match-all SSH

match protocol ssh

policy-map type inspect sdm-permit

class type inspect SSH

inspect

You may filter hosts to access this device by adding ACLs into into the class-map.

Please let us know how things work out.

HTH,

Toshi

Re: How to allow SSH into Zone Based Firewall?

mramirez — Sun, 22 Mar 2009 18:51:04 GMT

Hi Toshi,

First of all thanks for your suggestions. I tried what you suggested but got an error. Here is the exact copy from the router. Since it did not like the inspect command I tried pass but that did not work either. Any other suggestions?

Manny-2691(config)#class-map type inspect match-all SSH

Manny-2691(config-cmap)#match protocol ssh

Manny-2691(config-cmap)#!

Manny-2691(config-cmap)#policy-map type inspect sdm-permit

Manny-2691(config-pmap)#class type inspect SSH

Manny-2691(config-pmap-c)#inspect

%Protocol ssh configured in class-map SSH cannot be configured for the self zone. Please remove the protocol and retry

Manny-2691(config-pmap-c)#

Re: How to allow SSH into Zone Based Firewall?

Thotsaphon Lueangwattanaphong — Sun, 22 Mar 2009 19:03:05 GMT

Hi Manny,

Sorry That was my fault. It should be like this.

Manny-2691(config-pmap)#class type inspect SSH

Manny-2691(config-pmap-c)#pass

HTH,

Toshi

Re: How to allow SSH into Zone Based Firewall?

mramirez — Sun, 22 Mar 2009 19:15:18 GMT

Hi Toshi,

The pass did not work either. Here is what I have in the config so far. I have attached a snapshot from SDM to see if it makes any sense.

Thanks for your help by the way. I am currently studying for my CCNA Security and is bugging the heck out of me.

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 103

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-insp-traffic

match class-map sdm-cls-insp-traffic

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 102

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any SDM-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any SDM-Voice

match protocol h323

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all SSH

match protocol ssh

class-map type inspect match-all GRE

match access-group 104

class-map type inspect match-all sdm-icmp-access

match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-invalid-src

match access-group 101

class-map type inspect match-all sdm-protocol-http

match protocol http

policy-map type inspect sdm-permit-icmpreply

class type inspect sdm-icmp-access

inspect

class type inspect SDM-Voice

inspect

class class-default

pass

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

inspect

class type inspect GRE

pass

class class-default

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

drop log

class type inspect sdm-insp-traffic

inspect

class type inspect sdm-protocol-http

inspect

class type inspect SDM-Voice-permit

inspect

class class-default

pass

policy-map type inspect sdm-permit

class type inspect SDM_VPN_PT

pass

class type inspect SDM-Voice

inspect

class type inspect SSH

pass

class class-default

drop log

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-VPNOutsideToInside-1

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

Re: How to allow SSH into Zone Based Firewall?

Thotsaphon Lueangwattanaphong — Sun, 22 Mar 2009 19:36:05 GMT

Hi Manny,

When you are trying to do SSH to the router then what's the exact error you got?

Edit: What is the exact ip address you are trying to use as a source ip address to do ssh to the router?

####################

access-list 105 remark VTY Access-class list

access-list 105 remark SDM_ACL Category=1

access-list 105 permit ip 10.1.1.0 0.0.0.255 any

access-list 105 permit ip 192.168.2.0 0.0.0.255 any

####################

For testing :

line vty 0 4

No access-class 105 in

Please let me know.

Toshi

Re: How to allow SSH into Zone Based Firewall?

mramirez — Sun, 22 Mar 2009 19:41:49 GMT

Hi,

I got the error below when I tried putting the inspect command on the router under the policy-map. It did not like the inspect, so I tried the pass but that is still not letting me ssh into the router from a remote ip address. Here was the error.

%Protocol ssh configured in class-map SSH cannot be configured for the self zone. Please remove the protocol and retry.

Re: How to allow SSH into Zone Based Firewall?

Thotsaphon Lueangwattanaphong — Sun, 22 Mar 2009 19:46:25 GMT

Manny,

Well, It has to be "PASS".

What's the exact source ip address you are trying to do ssh to the router?

Let's see my previous post

Toshi

Re: How to allow SSH into Zone Based Firewall?

mramirez — Sun, 22 Mar 2009 19:57:22 GMT

Ok here is the updated config. I have list the source IP in the access-list 105 for the VTY. It starts off with 99.xxxx.

Re: How to allow SSH into Zone Based Firewall?

Thotsaphon Lueangwattanaphong — Sun, 22 Mar 2009 20:02:20 GMT

Manny,

Without using Zone Base Firewall. Did you ever access the router by using SSH protocol? I've not seen any crypto key generated by the router.

Pleas let me know

Toshi

Re: How to allow SSH into Zone Based Firewall?

mramirez — Sun, 22 Mar 2009 20:10:11 GMT

Toshi,

Yes, I have verified that the crypto keys are generate using the command "sh crypto key mypubkey rsa" or using the SDM. I have not been able to SSH using this configuration. If I use a simple config from scratch, I can. But when I start adding all the policys and class maps that's when I can't get back in.

Re: How to allow SSH into Zone Based Firewall?

Thotsaphon Lueangwattanaphong — Sun, 22 Mar 2009 20:20:29 GMT

Many,

Here is my last hope. let's try this first

policy-map type inspect sdm-permit

no class type inspect SSH

ip access-list extended SSH

permit tcp any any eq 22

class-map type inspect match-any SSH

match access-group name SDM_SSH

policy-map type inspect sdm-permit

class type inspect SSH

pass

policy-map type inspect sdm-permit

no class type inspect SSH

ip access-list extended SSH

permit tcp any any eq 22

class-map type inspect match-any SSH

match access-group name SSH

class-map type inspect match-any access-to-router

match class-map SSH

policy-map type inspect sdm-permit

class type inspect access-to-router

inspect

Toshi

Re: How to allow SSH into Zone Based Firewall?

mramirez — Sun, 22 Mar 2009 20:42:11 GMT

Toshi! You are a genius dude! The second option worked beautifully! I really appreciate your help.

Is there a book/resource that you used to learn this? I am going thu my CCNA security exam and it doesn't go to much into detail on Zone firewalls. I did buy the Cisco Deploying Zone-Based Firewalls book, but did not show an example of ssh access.

Now all that is left is allowing webserver/mail/ftp. Do you have any quick examples of that?

Thank again.

Manny

Re: How to allow SSH into Zone Based Firewall?

Thotsaphon Lueangwattanaphong — Sun, 22 Mar 2009 21:06:02 GMT

Manny,

Please check this link out. It may helps you.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/prod_white_papers_list.html

I'm now sleepy head. (grin)@4am.

Toshi

Re: How to allow SSH into Zone Based Firewall?

mramirez — Sun, 22 Mar 2009 21:11:38 GMT

Thanks again!

Re: How to allow SSH into Zone Based Firewall?

FredDenHeijer — Mon, 23 Mar 2009 11:36:15 GMT

Does this also count for snmp because it seems that snmp is also blocked by default

Re: How to allow SSH into Zone Based Firewall?

mramirez — Mon, 23 Mar 2009 12:48:16 GMT

Hi Fred,

I guess it depends if your using snmp in the inside or outside?

Re: How to allow SSH into Zone Based Firewall?

FredDenHeijer — Mon, 23 Mar 2009 14:10:43 GMT

I'm trying to get it working from the outside. I wasn't able to connect with the Cisco 871 from the outside with ssh but that is functioning know due to your solution. I was wondering if this also the case with monitoring from the outside because we want to monitor customers remotely.

Re: How to allow SSH into Zone Based Firewall?

mramirez — Mon, 23 Mar 2009 14:16:32 GMT

I will try it later on tonight and let you know. I am fairly new to Zone-Based Firewalls. I would think to follow the same concept of ssh as in th example above. Post your config and maybe Toshi can comment on it.

Re: How to allow SSH into Zone Based Firewall?

FredDenHeijer — Mon, 23 Mar 2009 14:55:25 GMT

here is my config;