Access to Cisco 1841 with SSH from ATM interface - Page 2

kyle.heath · ‎06-26-2010

I have several Cisco 877 routers that I manage from the Internet as they are at customer sites, I have just installed a Cisco 1841 and I am trying to setup the same management.

Both the 877 and the 1841 are using the Advanced Security IOS. The problem I have is that the firewall config for the 877 isnt working when I have ported it over to the 1841. I have posted my config below, can anyone help point me in the right direction as I am sure I am close! I have removed certain parts of the config that are not relevant.

Thanks

Kyle

crypto pki certificate chain TP-self-signed-2504183264

certificate self-signed 01

!

username xxxxxxxx privilege 15 secret 5 $1$rGZW$qRM6OTnZf9lluURrjyRap0

archive

log config

hidekeys

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

track 1 ip sla 1 reachability

!

track 2 interface ATM0/0/0 line-protocol

carrier-delay

!

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

class-map type inspect match-any smtp

match protocol smtp

class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1

match class-map smtp

match access-group name gfi-servers

class-map type inspect match-all sdm-nat-smtp-1

match access-group 101

match protocol smtp

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-any CCP-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any workshop-out-allowed

match protocol http

match protocol https

match protocol smtp

match protocol pop3

match protocol imap

match protocol pptp

match protocol l2tp

match protocol dns

match protocol ntp

match protocol icmp

match protocol ftp

match protocol ftps

match protocol tftp

match protocol telnet

match protocol ssh

match protocol isakmp

match protocol ipsec-msft

match protocol user-sts

match protocol user-rdp

class-map type inspect match-all sdm-nat-pptp-1

match access-group 101

match protocol pptp

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-all sdm-cls--1

match class-map smtp

match access-group name tmcm-cscm

class-map type inspect match-any cscm-mav-allowed

match protocol icmp

match protocol user-rdp

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-cls-sdm-policy-workshop-out-allowed-

match access-group name gfimax-servers

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 102

class-map type inspect match-any cscm-g2g-allowed

match protocol icmp

match protocol user-rdp

class-map type inspect match-all sdm-nat-user-sts-1

match access-group 101

match protocol user-sts

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-any mav-out-allowed

match protocol http

match protocol https

match protocol icmp

match protocol dns

class-map type inspect match-all sdm-nat-https-1

match access-group 101

match protocol https

class-map type inspect match-all ccp-protocol-http

match protocol http

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-policy-mav-out-allowed

class type inspect mav-out-allowed

inspect

class class-default

drop

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1

inspect

class type inspect sdm-nat-https-1

inspect

class type inspect sdm-nat-user-sts-1

inspect

class type inspect sdm-nat-pptp-1

inspect

class type inspect CCP_PPTP

pass

class class-default

drop log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class type inspect CCP-Voice-permit

inspect

class class-default

pass

policy-map type inspect sdm-policy-cscm-g2g-allowed

class type inspect cscm-g2g-allowed

inspect

class class-default

drop

policy-map type inspect ccp-permit

class type inspect sdm-access

class class-default

drop

policy-map type inspect sdm-policy-sdm-cls--1

class type inspect sdm-cls--1

inspect

class class-default

drop

policy-map type inspect sdm-policy-cscm-mav-allowed

class type inspect cscm-mav-allowed

inspect

class class-default

drop

policy-map type inspect sdm-policy-workshop-out-allowed

class type inspect workshop-out-allowed

inspect

class class-default

drop

!

zone security out-zone

zone security in-zone

zone security mav-zone

zone security workshop-zone

zone security g2g-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-mav-zone-out-zone source mav-zone destination out-zone

service-policy type inspect sdm-policy-mav-out-allowed

zone-pair security sdm-zp-in-zone-mav-zone source in-zone destination mav-zone

service-policy type inspect sdm-policy-cscm-mav-allowed

zone-pair security sdm-zp-mav-zone-in-zone source mav-zone destination in-zone

service-policy type inspect sdm-policy-sdm-cls--1

zone-pair security sdm-zp-workshop-zone-out-zone source workshop-zone destination out-zone

service-policy type inspect sdm-policy-workshop-out-allowed

zone-pair security sdm-zp-in-zone-g2g-zone source in-zone destination g2g-zone

service-policy type inspect sdm-policy-cscm-g2g-allowed

bridge irb

!

interface Null0

no ip unreachables

!

interface FastEthernet0/0

description Management Interface$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ETH-LAN$

ip address 192.168.110.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/0.2

description Workshop Interface$ETH-LAN$$FW_INSIDE$

encapsulation dot1Q 2

ip address 172.16.0.62 255.255.255.192

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security workshop-zone

!

interface FastEthernet0/0.3

description MAV Interface$FW_INSIDE$$ETH-LAN$

encapsulation dot1Q 3

ip address 172.22.0.14 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security mav-zone

!

interface FastEthernet0/0.4

description G2G Interface$ETH-LAN$$FW_INSIDE$

encapsulation dot1Q 4

ip address 192.168.111.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security g2g-zone

!

interface FastEthernet0/1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

no mop enabled

!

interface ATM0/0/0

description O2 ADSL Circuit

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

no atm ilmi-keepalive

!

interface ATM0/0/0.1 point-to-point

description O2 ADSL Circuit$FW_OUTSIDE$

ip address xx.xx.xx.xx 255.255.248.0

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

atm route-bridged ip

pvc 0/101

encapsulation aal5snap

!

interface ATM0/1/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

no atm ilmi-keepalive

!

interface ATM0/1/0.1 point-to-point

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface Dialer0

description ADSL$FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer fast-idle 120

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxx@comuk

ppp chap password 7 050A005D2542665E2E

ppp pap sent-username xxxxxx@comuk password 7 050A005D2542665E2E

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx track 1

ip route 0.0.0.0 0.0.0.0 Dialer0 10

ip route 4.2.2.2 255.255.255.255 xx.xx.xx.xx

no ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip flow-top-talkers

top 10

sort-by bytes

!

ip nat inside source route-map CSCM interface Dialer0 overload

ip nat inside source route-map O2 interface ATM0/0/0.1 overload

ip nat inside source static tcp 192.168.110.2 25 xx.xx.xx.xx 25 extendable

ip nat inside source static tcp 192.168.110.2 443 xx.xx.xx.xx 443 extendable

ip nat inside source static tcp 192.168.110.2 987 xx.xx.xx.xx 987 extendable

ip nat inside source static tcp 192.168.110.2 1723 xx.xx.xx.xx 1723 extendable

!

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended SDM_HTTPS

permit tcp any any eq 443

ip access-list extended SDM_SHELL

permit tcp any any eq cmd

ip access-list extended SDM_SSH

permit tcp any any eq 22

ip access-list extended gfi-servers

remark CCP_ACL Category=128

permit ip 174.36.153.0 0.0.0.255 host 192.168.110.2

ip access-list extended gfimax-servers

remark CCP_ACL Category=128

permit ip 174.36.153.0 0.0.0.255 host 192.168.110.2

ip access-list extended tmcm-cscm

remark CCP_ACL Category=128

permit ip 172.22.0.0 0.0.0.15 host 192.168.110.2

!

ip sla 1

icmp-echo 4.2.2.2 source-interface ATM0/0/0.1

frequency 5

ip sla schedule 1 life forever start-time now

access-list 23 permit any

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip xx.xx.xx.xx 0.0.7.255 any

access-list 101 remark CCP_ACL Category=0

access-list 101 permit ip any host 192.168.110.2

access-list 101 permit ip any any

access-list 102 permit ip any any

no cdp run

!

route-map CSCM permit 10

match interface Dialer0

!

route-map O2 permit 10

match interface ATM0/0/0.1

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

banner exec ^C

^C

banner login ^C

^C

!

line con 0

exec-timeout 0 0

logging synchronous

login local

line aux 0

exec-timeout 0 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

event manager applet failover

event track 1 state any

action 2.0 cli command "clear ip nat trans"

event manager applet O2-carrierdetect-up

event track 2 state up

action 2.0 cli command "clear ip nat trans"

!

end

cisco-1841#

Kureli Sankar · ‎07-01-2010

Marcin,

Removing out to self and selft to out didn't resolve the issue. I wonder why? Added to this removing the access-class in the line vty didn't do the trick either. Very strange.

What code are you running? Get the latest code. I have seen a similar issue (still unresolved - potential defect) but, in that case the authentication was via TACACS and in this case it is local DB.

-KS

kyle.heath · ‎07-01-2010

I am still working away on this, and using the ip inspect log drop command I can see this in the logs

%FW-6-DROP_PKT: Dropping http session 86.4.xx.xx:28089 xx.xx.xx.xx:23 on zone-pair ccp-zp-out-self class class-default due to DROP action found in policy-map with ip ident 0

This was when I tried to telnet the public IP from my home, is there a reason why the firewall sees this as a http session?

I dont want to give up on this one, I just cant understand why the same config works on a 877 and not on a 1841 router even thought they both have the same IOS.

kyle.heath · ‎07-07-2010

I am closing this thread for now as I need to spend more time reading up on ZBF, I wanted to a say thank you to those who tried to help on this!

Cheers

kyle

Marcin Latosiewicz · ‎07-07-2010

Kyle,

One last try (with ZBF enabled and everything).

Please note that it has not been proofed on by device, it's a copy/paste + interpretation

I didn't change any name of policies comparing to your initial config.

ip access-list ext TAC_SSH

permit tcp any any eq 22

class-map type inspect TAC_SSH

match access-group TAC_SSH

policy-map type inspect ccp-permit

no class type inspect sdm-access

class-map type inspect TAC_SSH

permit

exit

class type inspect sdm-access

permit

Let me know if same thing happens.

Marcin