Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1534
Views
0
Helpful
3
Replies

Can't access router via SSH or VPN with ZBF

mloraditch
Level 7
Level 7

‎08-18-2011 12:47 PM - edited ‎03-11-2019 02:13 PM

I have two problems:

1) Can't ssh to the router remote, this line in IP-SELF is supposed to be allowing that:  permit tcp host X.X.X.X any eq 22

2) Over a VPN Tunnel, can ping the router but can't telnet to it or SNMP to it, this is an ASA to the Route IPSEC Tunnel, the tunnel is up as traffic not to self passes fine. This is the error: Aug 18 15:33:10.191: %FW-6-LOG_SUMMARY: 2 packets were dropped from RemoteVPNIP:33599 => SelfIP:23 (target:class)-(out-self:class-default) . The following line IP-SELF is supposed to allow this: permit ip 10.0.0.0 0.0.0.255 any

Relevant configuration is below. I am about 99% sure i have some redundancies here I don't need

Thanks in advance for assistance.

class-map type inspect match-all ICMP-SELF

match protocol icmp

class-map type inspect match-any IP-SELF

match access-group name IP-SELF

class-map type inspect match-all VPN-SELF

match access-group name VPN-SELF

!

!

policy-map type inspect PUBLIC-TO-SELF

class type inspect IP-SELF

  inspect

class type inspect ICMP-SELF

  pass

class type inspect VPN-SELF

  pass

class class-default

  drop

!

zone-pair security out-self source public destination self

service-policy type inspect PUBLIC-TO-SELF

!

ip access-list extended IP-SELF

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit icmp any any unreachable

permit icmp any any time-exceeded

permit tcp host X.X.X.X any eq 22

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any traceroute

permit gre any any

permit udp any any eq ntp

permit ip 10.0.0.0 0.0.0.255 any

ip access-list extended VPN-SELF

permit eigrp any any

permit gre any any

permit esp any any

permit ahp any any

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎08-18-2011 10:52 PM

Does it work without the ZBFW? Just want to double check that you don't have access-class configured on VTY line that prevents the access.

Also, would like to confirm that the remote subnet is actually 10.0.0.x, not 10.x.x.x, right?

0 Helpful

mloraditch
Level 7
Level 7
In response to Jennifer Halim

‎08-19-2011 05:43 AM

Yes there is no access-class on the VTY. The remote subnets are all 10.X.X.X. I have the correct wildcard mask for that, don't i?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to mloraditch

‎08-19-2011 05:51 PM

For 10.x.x.x, wildcard mask should be 0.255.255.255

Hope that resolves the issue.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card