Hi all. Recently I came to learn through trying to configure my 891 router that when configuring the zone-baesd firewall to protect SSH access to the router from the Internet, you cannot use match protocol ssh in the class map and apply an inspect action to this via the corresponding policy map. Application-level inspection is not supported when involving the Self zone of the firewall.
Yet if I simply set an access list, allowing port 22 to the router, and applying inspect to that, it works fine.
My question is what is the difference between "match protocol ssh" and an access that is called via the match access-group name XYZ access list?
Can't find this one in the Cisco docs I've read to date, and based on that something tells me this topic isn't going to be easy to research so I hope somebody has come across this query before.
This problem you are dealing with it's a bug and not exactly a difference between match protocol and access list.
This issue is seen if class-map in the policy-map uses match protocol and the protocol is not in the list of supported protocol for self-zone. This issue is seen even with pass action.
In other words; it is a bug and not a difference between match protocol and access list.
Please rate helpful posts.
The difference between matching the protocol vs matching the protocol using an ACL is that when using the "match protocol ssh" you are using Network Based Application Recognition (NBAR), which is a application recognition mechanism. And when you are using the ACL you are simply matching the port-number (22).
So using NBAR is much more safer, because it mitigates attacks where you use a protocol on a different port than it was designed to use. But it is what it is, you can't use protocol inspection when the traffic is destined for the self zone (except for TCP, UDP, ICMP) and for your information and for julomban's information, it's not a bug.
Hope that helps
A very good way to find out more about ZFW: