03-22-2009 08:33 AM - edited 03-11-2019 08:08 AM
I am stuck in trying to figure out on how to allow a ssh connection from the outside to the wan uplink on my firwall. I just recently converted to the zone based. I have tried adding all different types of ways but no luck. Can someone help me out?
Let's say I wanted to configure a specific ip address from the internet to access the router only thru ssh.
03-22-2009 11:15 AM
Hi MANNY,
Just add commands I provided.
!
class-map type inspect match-all SSH
match protocol ssh
!
policy-map type inspect sdm-permit
class type inspect SSH
inspect
You may filter hosts to access this device by adding ACLs into into the class-map.
Please let us know how things work out.
HTH,
Toshi
03-22-2009 11:51 AM
Hi Toshi,
First of all thanks for your suggestions. I tried what you suggested but got an error. Here is the exact copy from the router. Since it did not like the inspect command I tried pass but that did not work either. Any other suggestions?
Manny-2691(config)#class-map type inspect match-all SSH
Manny-2691(config-cmap)#match protocol ssh
Manny-2691(config-cmap)#!
Manny-2691(config-cmap)#policy-map type inspect sdm-permit
Manny-2691(config-pmap)#class type inspect SSH
Manny-2691(config-pmap-c)#inspect
%Protocol ssh configured in class-map SSH cannot be configured for the self zone. Please remove the protocol and retry
Manny-2691(config-pmap-c)#
03-22-2009 12:03 PM
Hi Manny,
Sorry That was my fault. It should be like this.
Manny-2691(config-pmap)#class type inspect SSH
Manny-2691(config-pmap-c)#pass
HTH,
Toshi
03-22-2009 12:15 PM
Hi Toshi,
The pass did not work either. Here is what I have in the config so far. I have attached a snapshot from SDM to see if it makes any sense.
Thanks for your help by the way. I am currently studying for my CCNA Security and is bugging the heck out of me.
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 103
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 102
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM-Voice
match protocol h323
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all SSH
match protocol ssh
class-map type inspect match-all GRE
match access-group 104
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 101
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class type inspect SDM-Voice
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect GRE
pass
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect SDM_VPN_PT
pass
class type inspect SDM-Voice
inspect
class type inspect SSH
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
03-22-2009 12:36 PM
Hi Manny,
When you are trying to do SSH to the router then what's the exact error you got?
Edit: What is the exact ip address you are trying to use as a source ip address to do ssh to the router?
####################
access-list 105 remark VTY Access-class list
access-list 105 remark SDM_ACL Category=1
access-list 105 permit ip 10.1.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.2.0 0.0.0.255 any
####################
For testing :
line vty 0 4
No access-class 105 in
Please let me know.
Toshi
03-22-2009 12:41 PM
Hi,
I got the error below when I tried putting the inspect command on the router under the policy-map. It did not like the inspect, so I tried the pass but that is still not letting me ssh into the router from a remote ip address. Here was the error.
%Protocol ssh configured in class-map SSH cannot be configured for the self zone. Please remove the protocol and retry.
03-22-2009 12:46 PM
Manny,
Well, It has to be "PASS".
What's the exact source ip address you are trying to do ssh to the router?
Let's see my previous post
Toshi
03-22-2009 12:57 PM
03-22-2009 01:02 PM
Manny,
Without using Zone Base Firewall. Did you ever access the router by using SSH protocol? I've not seen any crypto key generated by the router.
Pleas let me know
Toshi
03-22-2009 01:10 PM
Toshi,
Yes, I have verified that the crypto keys are generate using the command "sh crypto key mypubkey rsa" or using the SDM. I have not been able to SSH using this configuration. If I use a simple config from scratch, I can. But when I start adding all the policys and class maps that's when I can't get back in.
03-22-2009 01:20 PM
Many,
Here is my last hope. let's try this first
!
policy-map type inspect sdm-permit
no class type inspect SSH
!
ip access-list extended SSH
permit tcp any any eq 22
!
class-map type inspect match-any SSH
match access-group name SDM_SSH
!
!
policy-map type inspect sdm-permit
class type inspect SSH
pass
!
OR
!
policy-map type inspect sdm-permit
no class type inspect SSH
!
ip access-list extended SSH
permit tcp any any eq 22
!
class-map type inspect match-any SSH
match access-group name SSH
!
class-map type inspect match-any access-to-router
match class-map SSH
!
policy-map type inspect sdm-permit
class type inspect access-to-router
inspect
!
Toshi
03-22-2009 01:42 PM
Toshi! You are a genius dude! The second option worked beautifully! I really appreciate your help.
Is there a book/resource that you used to learn this? I am going thu my CCNA security exam and it doesn't go to much into detail on Zone firewalls. I did buy the Cisco Deploying Zone-Based Firewalls book, but did not show an example of ssh access.
Now all that is left is allowing webserver/mail/ftp. Do you have any quick examples of that?
Thank again.
Manny
03-22-2009 02:06 PM
Manny,
Please check this link out. It may helps you.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/prod_white_papers_list.html
I'm now sleepy head. (grin)@4am.
Toshi
03-22-2009 02:11 PM
Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide