cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1322
Views
0
Helpful
3
Replies
Highlighted
Contributor

Can't access router via SSH or VPN with ZBF

I have two problems:

1) Can't ssh to the router remote, this line in IP-SELF is supposed to be allowing that:  permit tcp host X.X.X.X any eq 22

2) Over a VPN Tunnel, can ping the router but can't telnet to it or SNMP to it, this is an ASA to the Route IPSEC Tunnel, the tunnel is up as traffic not to self passes fine. This is the error: Aug 18 15:33:10.191: %FW-6-LOG_SUMMARY: 2 packets were dropped from RemoteVPNIP:33599 => SelfIP:23 (target:class)-(out-self:class-default) . The following line IP-SELF is supposed to allow this: permit ip 10.0.0.0 0.0.0.255 any

Relevant configuration is below. I am about 99% sure i have some redundancies here I don't need

Thanks in advance for assistance.

class-map type inspect match-all ICMP-SELF

match protocol icmp

class-map type inspect match-any IP-SELF

match access-group name IP-SELF

class-map type inspect match-all VPN-SELF

match access-group name VPN-SELF

!

!

policy-map type inspect PUBLIC-TO-SELF

class type inspect IP-SELF

  inspect

class type inspect ICMP-SELF

  pass

class type inspect VPN-SELF

  pass

class class-default

  drop

!

zone-pair security out-self source public destination self

service-policy type inspect PUBLIC-TO-SELF

!

ip access-list extended IP-SELF

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit icmp any any unreachable

permit icmp any any time-exceeded

permit tcp host X.X.X.X any eq 22

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any traceroute

permit gre any any

permit udp any any eq ntp

permit ip 10.0.0.0 0.0.0.255 any

ip access-list extended VPN-SELF

permit eigrp any any

permit gre any any

permit esp any any

permit ahp any any

3 REPLIES 3
Cisco Employee

Can't access router via SSH or VPN with ZBF

Does it work without the ZBFW? Just want to double check that you don't have access-class configured on VTY line that prevents the access.

Also, would like to confirm that the remote subnet is actually 10.0.0.x, not 10.x.x.x, right?

Contributor

Can't access router via SSH or VPN with ZBF

Yes there is no access-class on the VTY. The remote subnets are all 10.X.X.X. I have the correct wildcard mask for that, don't i?

Cisco Employee

Can't access router via SSH or VPN with ZBF

For 10.x.x.x, wildcard mask should be 0.255.255.255

Hope that resolves the issue.