Re: Access to Cisco 1841 with SSH from ATM interface

kyle.heath · ‎06-26-2010

I have several Cisco 877 routers that I manage from the Internet as they are at customer sites, I have just installed a Cisco 1841 and I am trying to setup the same management.

Both the 877 and the 1841 are using the Advanced Security IOS. The problem I have is that the firewall config for the 877 isnt working when I have ported it over to the 1841. I have posted my config below, can anyone help point me in the right direction as I am sure I am close! I have removed certain parts of the config that are not relevant.

Thanks

Kyle

crypto pki certificate chain TP-self-signed-2504183264

certificate self-signed 01

!

username xxxxxxxx privilege 15 secret 5 $1$rGZW$qRM6OTnZf9lluURrjyRap0

archive

log config

hidekeys

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

track 1 ip sla 1 reachability

!

track 2 interface ATM0/0/0 line-protocol

carrier-delay

!

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

class-map type inspect match-any smtp

match protocol smtp

class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1

match class-map smtp

match access-group name gfi-servers

class-map type inspect match-all sdm-nat-smtp-1

match access-group 101

match protocol smtp

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-any CCP-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any workshop-out-allowed

match protocol http

match protocol https

match protocol smtp

match protocol pop3

match protocol imap

match protocol pptp

match protocol l2tp

match protocol dns

match protocol ntp

match protocol icmp

match protocol ftp

match protocol ftps

match protocol tftp

match protocol telnet

match protocol ssh

match protocol isakmp

match protocol ipsec-msft

match protocol user-sts

match protocol user-rdp

class-map type inspect match-all sdm-nat-pptp-1

match access-group 101

match protocol pptp

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-all sdm-cls--1

match class-map smtp

match access-group name tmcm-cscm

class-map type inspect match-any cscm-mav-allowed

match protocol icmp

match protocol user-rdp

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-cls-sdm-policy-workshop-out-allowed-

match access-group name gfimax-servers

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 102

class-map type inspect match-any cscm-g2g-allowed

match protocol icmp

match protocol user-rdp

class-map type inspect match-all sdm-nat-user-sts-1

match access-group 101

match protocol user-sts

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-any mav-out-allowed

match protocol http

match protocol https

match protocol icmp

match protocol dns

class-map type inspect match-all sdm-nat-https-1

match access-group 101

match protocol https

class-map type inspect match-all ccp-protocol-http

match protocol http

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-policy-mav-out-allowed

class type inspect mav-out-allowed

inspect

class class-default

drop

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1

inspect

class type inspect sdm-nat-https-1

inspect

class type inspect sdm-nat-user-sts-1

inspect

class type inspect sdm-nat-pptp-1

inspect

class type inspect CCP_PPTP

pass

class class-default

drop log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class type inspect CCP-Voice-permit

inspect

class class-default

pass

policy-map type inspect sdm-policy-cscm-g2g-allowed

class type inspect cscm-g2g-allowed

inspect

class class-default

drop

policy-map type inspect ccp-permit

class type inspect sdm-access

class class-default

drop

policy-map type inspect sdm-policy-sdm-cls--1

class type inspect sdm-cls--1

inspect

class class-default

drop

policy-map type inspect sdm-policy-cscm-mav-allowed

class type inspect cscm-mav-allowed

inspect

class class-default

drop

policy-map type inspect sdm-policy-workshop-out-allowed

class type inspect workshop-out-allowed

inspect

class class-default

drop

!

zone security out-zone

zone security in-zone

zone security mav-zone

zone security workshop-zone

zone security g2g-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-mav-zone-out-zone source mav-zone destination out-zone

service-policy type inspect sdm-policy-mav-out-allowed

zone-pair security sdm-zp-in-zone-mav-zone source in-zone destination mav-zone

service-policy type inspect sdm-policy-cscm-mav-allowed

zone-pair security sdm-zp-mav-zone-in-zone source mav-zone destination in-zone

service-policy type inspect sdm-policy-sdm-cls--1

zone-pair security sdm-zp-workshop-zone-out-zone source workshop-zone destination out-zone

service-policy type inspect sdm-policy-workshop-out-allowed

zone-pair security sdm-zp-in-zone-g2g-zone source in-zone destination g2g-zone

service-policy type inspect sdm-policy-cscm-g2g-allowed

bridge irb

!

interface Null0

no ip unreachables

!

interface FastEthernet0/0

description Management Interface$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ETH-LAN$

ip address 192.168.110.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/0.2

description Workshop Interface$ETH-LAN$$FW_INSIDE$

encapsulation dot1Q 2

ip address 172.16.0.62 255.255.255.192

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security workshop-zone

!

interface FastEthernet0/0.3

description MAV Interface$FW_INSIDE$$ETH-LAN$

encapsulation dot1Q 3

ip address 172.22.0.14 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security mav-zone

!

interface FastEthernet0/0.4

description G2G Interface$ETH-LAN$$FW_INSIDE$

encapsulation dot1Q 4

ip address 192.168.111.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security g2g-zone

!

interface FastEthernet0/1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

no mop enabled

!

interface ATM0/0/0

description O2 ADSL Circuit

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

no atm ilmi-keepalive

!

interface ATM0/0/0.1 point-to-point

description O2 ADSL Circuit$FW_OUTSIDE$

ip address xx.xx.xx.xx 255.255.248.0

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

atm route-bridged ip

pvc 0/101

encapsulation aal5snap

!

interface ATM0/1/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

no atm ilmi-keepalive

!

interface ATM0/1/0.1 point-to-point

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface Dialer0

description ADSL$FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer fast-idle 120

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxx@comuk

ppp chap password 7 050A005D2542665E2E

ppp pap sent-username xxxxxx@comuk password 7 050A005D2542665E2E

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx track 1

ip route 0.0.0.0 0.0.0.0 Dialer0 10

ip route 4.2.2.2 255.255.255.255 xx.xx.xx.xx

no ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip flow-top-talkers

top 10

sort-by bytes

!

ip nat inside source route-map CSCM interface Dialer0 overload

ip nat inside source route-map O2 interface ATM0/0/0.1 overload

ip nat inside source static tcp 192.168.110.2 25 xx.xx.xx.xx 25 extendable

ip nat inside source static tcp 192.168.110.2 443 xx.xx.xx.xx 443 extendable

ip nat inside source static tcp 192.168.110.2 987 xx.xx.xx.xx 987 extendable

ip nat inside source static tcp 192.168.110.2 1723 xx.xx.xx.xx 1723 extendable

!

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended SDM_HTTPS

permit tcp any any eq 443

ip access-list extended SDM_SHELL

permit tcp any any eq cmd

ip access-list extended SDM_SSH

permit tcp any any eq 22

ip access-list extended gfi-servers

remark CCP_ACL Category=128

permit ip 174.36.153.0 0.0.0.255 host 192.168.110.2

ip access-list extended gfimax-servers

remark CCP_ACL Category=128

permit ip 174.36.153.0 0.0.0.255 host 192.168.110.2

ip access-list extended tmcm-cscm

remark CCP_ACL Category=128

permit ip 172.22.0.0 0.0.0.15 host 192.168.110.2

!

ip sla 1

icmp-echo 4.2.2.2 source-interface ATM0/0/0.1

frequency 5

ip sla schedule 1 life forever start-time now

access-list 23 permit any

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip xx.xx.xx.xx 0.0.7.255 any

access-list 101 remark CCP_ACL Category=0

access-list 101 permit ip any host 192.168.110.2

access-list 101 permit ip any any

access-list 102 permit ip any any

no cdp run

!

route-map CSCM permit 10

match interface Dialer0

!

route-map O2 permit 10

match interface ATM0/0/0.1

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

banner exec ^C

^C

banner login ^C

^C

!

line con 0

exec-timeout 0 0

logging synchronous

login local

line aux 0

exec-timeout 0 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

event manager applet failover

event track 1 state any

action 2.0 cli command "clear ip nat trans"

event manager applet O2-carrierdetect-up

event track 2 state up

action 2.0 cli command "clear ip nat trans"

!

end

cisco-1841#

Marcin Latosiewicz · ‎06-27-2010

What have you done to debug this?

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

policy-map type inspect ccp-permit

class type inspect sdm-access

class class-default

drop

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 102

access-list 102 permit ip any any

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

etc etc.

There's a "pass" or "inspect" missing above

kyle.heath · ‎06-27-2010

Thanks, I have added the missing inspect as below but I still cannot connect with SSH to the router on the outside interface. I am positive I have all the commands exactly the same as a 877 I can access with SSH. I just cant work out what is different, how would I go about looking at the policy maps in terms of logging the failed access?

policy-map type inspect ccp-permit

class type inspect sdm-access

inspect

class class-default

drop

Marcin Latosiewicz · ‎06-27-2010

Kyle,

I would give it a pass rather then inspect...

If you want to check the difference, simple unix diff will show you

Also since this was initially deployed via SDM check in SDM...

There's an option to "log" but I'm not sure how it works with self zone, it's been ages since I had to do anything with ZBF:

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Marcin

kyle.heath · ‎06-27-2010

Thanks Marcin, I did try pass and that didnt work, I noted when using SDM to setup the firewall it didnt offer the option to access SDM from the WAN interfaces so that may suggest something.

Looks like its reading for me on ZBF!

I can use a VPN and an inside client for now.

Thanks for your help

--

Kyle Heath

Marcin Latosiewicz · ‎06-28-2010

Kyle,

How does the connection work, I see both ATM and dialer interface being part of out-zone.

Is that also the case for 870?

Can you attach config from both 870 and 1840 (best as attachements).

Marcin

kyle.heath · ‎06-28-2010

The 1841 has two HWIC cards for ADSl and so has an ATM0/0/0.1 Interface bridged 1483 to ADSL2 and one ATM0/1/0 using Dialer0 to a PPPoA ADSL.

I will get the configs up on here tomorrow, thanks for helping on this!

kyle.heath · ‎06-30-2010

Below is the config I used today on an 877 to enable access to SDM from the Internet. This worked and I could SSH into the router on the ATM0.1 IP address, I have tried this on the Cisco 1841 tonight and I still cannot connect, I have the same problem on another Cisco 1841 that I have also, could there be something I am missing that is different on the 1841?

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=1

permit tcp any any eq 443

exit

ip access-list extended SDM_SHELL

remark CCP_ACL Category=1

permit tcp any any eq cmd

exit

ip access-list extended SDM_SSH

remark CCP_ACL Category=1

permit tcp any any eq 22

exit

access-list 105 remark CCP_ACL Category=128

access-list 105 permit ip any any

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

exit

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

exit

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

exit

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

exit

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 105

exit

policy-map type inspect sdm-permit

class type inspect sdm-access

inspect

class class-default

exit

Kureli Sankar · ‎06-30-2010

Do you have access-class configured on the line?

Could you pls. post the output of "sh run | b line vty" ?

class-map type inspect match-all sdm-access ------------------> have you changed this to match-any?

match class-map sdm-cls-access

match access-group 102

as well as

policy-map type inspect ccp-permit
class type inspect sdm-access
inspect ---------------------------------------> add the inspect like Marcin said.
class class-default

-KS

kyle.heath · ‎06-30-2010

clI have tried adding the inspect to the class map under the policy map and I changed the match-all to match-any on the class-map sdm-access but this resulted in the same problem.

The config for linevty is below

line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh

Access list 23 is as follows

access-list 23 permit any

I appreciate your help on this!

Kureli Sankar · ‎06-30-2010

Just for testing can you try

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply -----> remove

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit ---> remove

Just ssh is failing or telnet is failing too? Have you created an rsa key pair? "cry key generate rsa modulus 1024

-KS

kyle.heath · ‎06-30-2010

I have the RSA key generated and telnet also fails. I have tried removing the ccp-permit-icmpreply service policy and the ccp-permit service policy and it still fails to connect using SSH.

I take it this type of thing should not be difficult? I must admit to being new to ZBF and I must get a book on this matter to understand it better, so far I have been working it out from the commands the SDM generates and then working backwards from there.

Is the method I am trying the only way to access the router via SSH for remote management?

Kureli Sankar · ‎06-30-2010

While you have removed the out to self and self to out policy. Pls. also remove the access-class in the line vty and

try it again.

Yes, ZBF for first time users is a bit difficult. What you are trying to do is the correct way to gain access or control access to the device. This should work. You can't manage it using any IP address configured on the router? Meaning from the inside or the outside? This is very strange.

-KS

kyle.heath · ‎06-30-2010

I can connect to the router on the internal interfaces with SSH and telnet no issues, here is the log file when I enabled ip inspect

log drop

0029: *Jun 30 19:48:35.571 London: %FW-6-DROP_PKT: Dropping http session xx.xx.xx.xx:7343 xx.xx.xx.xx:22 on zone-pair ccp-zp-out-self class class-default due to DROP action found in policy-map with ip ident 0
000030: *Jun 30 19:48:39.163 London: %FW-6-LOG_SUMMARY: 2 packets were dropped from xx.xx.xx.xx:7343 => xx.xx.xx.xx:22 (target:class)-(ccp-zp-out-self:class-default)
000031: *Jun 30 19:48:39.163 London: %FW-6-LOG_SUMMARY: 1 packet were dropped from xx.xx.xx.xx:64059 => xx.xx.xx.xx:137 (target:class)-(ccp-zp-out-self:class-default)
000032: *Jun 30 19:48:39.163 London: %FW-6-LOG_SUMMARY: 1 packet were dropped from xx.xx.xx.xx:62735 => xx.xx.xx.xx:137 (target:class)-(ccp-zp-out-self:class-default)
000033: *Jun 30 19:49:13.499 London: %FW-6-DROP_PKT: Dropping http session 190.50.188.253:3733 xx.xx.xx.xx:445 on zone-pair ccp-zp-out-self class class-default due to DROP action found in policy-map with ip ident 0

Does this help lead towards where I am going wrong?

Marcin Latosiewicz · ‎07-01-2010

Kyle,

It looks like your SSH connection is falling into class-default and the action there is "drop".

000030: *Jun 30 19:48:39.163 London: %FW-6-LOG_SUMMARY: 2 packets were dropped from xx.xx.xx.xx:7343 => xx.xx.xx.xx:22 (target:class)- (ccp-zp-out-self: class-default)

At this point I would try to create a special class for SSH and apply it into out to self ... I'll try to come up with actual lines soon-ish.

Marcin