cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1390
Views
0
Helpful
3
Replies

Access list issue with NAT vs route-map on IOS Zone based firewall

amajmgcisco
Level 1
Level 1

Hi All,

 

First of all thanks for taking time to read my issue.

My problem is as follows:

We have a zone-based firewall and we are using NAT to be able to reach a server on port 22. This is working fine but off course other people are being curious about this open port as well so we get a lot of SSH connections request. The software on the server blocks this traffic,but I would like ALL traffic to be blocked, except for some addresses list in an ACL.

So, we have NAT running on port 22. When I connect to the public address, I'm forwarded to the destination server. Unfortunately the ACL seems to be ignored, everyone else is able to TRY to connect. This traffic must be blocked for any other IP, expect a few listed in the ACL.

I'm not very experienced, but unfortunately I'm the designated person to get this job done. Forgive me if the config is a bit messy... clean up will be planned. THANKS! Please find some parts of the config below.

 

class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 102
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 101
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
class-map type inspect match-all sdm-nat-http-2
match access-group 105
match protocol http
class-map type inspect smtp match-any ccp-app-smtp
match data-length gt 5000000
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SFTP
match access-group 130
match access-group 131
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-all ccp-cls-ccp-inspect-1
match access-group name test
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
match access-group 130
match access-group 131
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-all DNS
match protocol dns
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any SFTP_Return
match access-group 131
match access-group 130
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect match-all sdm-nat-https-2
match access-group 105
match protocol https
class-map type inspect match-all sdm-nat-ssh-1
match access-group 104
match protocol ssh
match access-group 130
class-map type inspect match-all sdm-nat-https-1
match access-group 101
match protocol https
class-map type inspect match-all ccp-protocol-smtp
match protocol smtp
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
!
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect smtp ccp-action-smtp
class type inspect smtp ccp-app-smtp
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-protocol-smtp
inspect
service-policy smtp ccp-action-smtp
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
drop log
class type inspect ccp-protocol-im
drop log
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class type inspect SFTP_Return
pass log
class class-default
drop log
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop log
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
pass
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class type inspect sdm-nat-http-2
inspect
class type inspect sdm-nat-https-2
inspect
class type inspect sdm-nat-ssh-1
inspect
class type inspect SFTP
inspect
class type inspect DNS
pass log
class class-default
drop log
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass log
!
zone security in-zone
zone security out-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
!

!
interface GigabitEthernet0/0
description J
ip address 10.0.0.1 255.255.255.0 

no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
no glbp 10 forwarder preempt
duplex auto
speed auto
vlan-range dot1q 1 110
exit-vlan-config
!
vrrp 20 description VRRP
vrrp 20 ip 10.10.10.11
vrrp 20 priority 250
no mop enabled
!
interface GigabitEthernet0/1
description 
ip address xxx.xxx.xxx.xxx 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
vrrp 10 description VRRP
vrrp 10 ip 10.10.10.10
vrrp 10 priority 250
no mop enabled
!
interface GigabitEthernet0/2
description Internet
ip address 222.222.222.223 255.255.255.248 secondary
ip address 222.222.222.222 255.255.255.248
no ip redirects
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
zone-member security out-zone
duplex auto
speed auto
media-type rj45
vrrp 30 description Internet
vrrp 30 ip xxx.xxx.xxx.xxx
vrrp 30 ip xxx.xxx.xxx.xxx secondary
vrrp 30 priority 250
no mop enabled


ip nat inside source list 2 interface GigabitEthernet0/2 overload
ip nat inside source list 120 interface GigabitEthernet0/2 overload
ip nat inside source list 130 interface GigabitEthernet0/2 overload
ip nat inside source static tcp 10.0.0.1 80 222.222.222.222 80 extendable
ip nat inside source static tcp 10.0.0.1 443 222.222.222.222 443 extendable

ip nat inside source static tcp 10.0.0.18 22 222.222.222.223 22 extendable
ip nat inside source static 10.0.0.18 222.222.222.223 route-map FTPS extendable

 

route-map FTPS permit 10
match ip address 130

 

access-list 130 remark CCP_ACL Category=16
access-list 130 permit ip 192.168.0.0 0.0.255.255 any
access-list 130 permit tcp host 10.0.1.18 range 11000 13000 any
access-list 130 permit ip 193.0.0.0 0.255.255.255 any
access-list 130 permit tcp any any eq 22

 

 

 

 

 

 

1 Accepted Solution

Accepted Solutions

I would imagine it would match "access-list 130 permit tcp any any eq 22", hence why you might want to create a new ACL and restrict access. So confirm, clear the ACL counters, run a test and then confirm the output "show access-list 130" to confirm whether SSH is actually hitting ACL 130 or not.

Please run the command "show policy-map type inspect zone-pair ccp-zp-out-zone-To-in-zone sessions" and upload the output.

View solution in original post

3 Replies 3

Hi,
Assuming traffic is from out-zone to in-zone, it should hit the policy-map ccp-pol-outToIn which matches SSH on class-map sdm-nat-ssh-1 this is matching on:-

class-map type inspect match-all sdm-nat-ssh-1
match access-group 104
match protocol ssh
match access-group 130

You've not included the output of ACL 104, so I can't confirm....but you should look to confirm the configuration, perhaps create a new ACL permitting from the required source and then modify the class-map to reference the new ACL and remove the others.

HTH

Thanks for your message.

Here is ACL 104:

access-list 104 remark CCP_ACL Category=4
access-list 104 permit ip 192.168.100.0 0.0.0.255 any
access-list 104 permit ip host 4x.1xx.4x.2xx host 10.0.1.1
access-list 104 remark ccp_ACL Category=0
access-list 104 permit ip host 217.169.xxx.xxx host 10.0.1.1

 

Im actually not sure why 104 is active..

 

You are right, it's the outToin policy-map

 

It's just strange that the FW allows FTPS/SSH traffic from out-to-in while the ACL/Route-Map says something else. It's probably a small thing that causes this issue...

I would imagine it would match "access-list 130 permit tcp any any eq 22", hence why you might want to create a new ACL and restrict access. So confirm, clear the ACL counters, run a test and then confirm the output "show access-list 130" to confirm whether SSH is actually hitting ACL 130 or not.

Please run the command "show policy-map type inspect zone-pair ccp-zp-out-zone-To-in-zone sessions" and upload the output.
Review Cisco Networking for a $25 gift card