08-18-2011 12:47 PM - edited 03-11-2019 02:13 PM
I have two problems:
1) Can't ssh to the router remote, this line in IP-SELF is supposed to be allowing that: permit tcp host X.X.X.X any eq 22
2) Over a VPN Tunnel, can ping the router but can't telnet to it or SNMP to it, this is an ASA to the Route IPSEC Tunnel, the tunnel is up as traffic not to self passes fine. This is the error: Aug 18 15:33:10.191: %FW-6-LOG_SUMMARY: 2 packets were dropped from RemoteVPNIP:33599 => SelfIP:23 (target:class)-(out-self:class-default) . The following line IP-SELF is supposed to allow this: permit ip 10.0.0.0 0.0.0.255 any
Relevant configuration is below. I am about 99% sure i have some redundancies here I don't need
Thanks in advance for assistance.
class-map type inspect match-all ICMP-SELF
match protocol icmp
class-map type inspect match-any IP-SELF
match access-group name IP-SELF
class-map type inspect match-all VPN-SELF
match access-group name VPN-SELF
!
!
policy-map type inspect PUBLIC-TO-SELF
class type inspect IP-SELF
inspect
class type inspect ICMP-SELF
pass
class type inspect VPN-SELF
pass
class class-default
drop
!
zone-pair security out-self source public destination self
service-policy type inspect PUBLIC-TO-SELF
!
ip access-list extended IP-SELF
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit icmp any any unreachable
permit icmp any any time-exceeded
permit tcp host X.X.X.X any eq 22
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit udp any any eq ntp
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended VPN-SELF
permit eigrp any any
permit gre any any
permit esp any any
permit ahp any any
08-18-2011 10:52 PM
Does it work without the ZBFW? Just want to double check that you don't have access-class configured on VTY line that prevents the access.
Also, would like to confirm that the remote subnet is actually 10.0.0.x, not 10.x.x.x, right?
08-19-2011 05:43 AM
Yes there is no access-class on the VTY. The remote subnets are all 10.X.X.X. I have the correct wildcard mask for that, don't i?
08-19-2011 05:51 PM
For 10.x.x.x, wildcard mask should be 0.255.255.255
Hope that resolves the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide