03-22-2009 08:33 AM - edited 03-11-2019 08:08 AM
I am stuck in trying to figure out on how to allow a ssh connection from the outside to the wan uplink on my firwall. I just recently converted to the zone based. I have tried adding all different types of ways but no luck. Can someone help me out?
Let's say I wanted to configure a specific ip address from the internet to access the router only thru ssh.
03-23-2009 04:36 AM
Does this also count for snmp because it seems that snmp is also blocked by default
03-23-2009 05:48 AM
Hi Fred,
I guess it depends if your using snmp in the inside or outside?
03-23-2009 07:10 AM
I'm trying to get it working from the outside. I wasn't able to connect with the Cisco 871 from the outside with ssh but that is functioning know due to your solution. I was wondering if this also the case with monitoring from the outside because we want to monitor customers remotely.
03-23-2009 07:16 AM
I will try it later on tonight and let you know. I am fairly new to Zone-Based Firewalls. I would think to follow the same concept of ssh as in th example above. Post your config and maybe Toshi can comment on it.
03-23-2009 07:55 AM
03-23-2009 10:04 AM
Hi Fred,
Outside zone to self has a class-default that denies everything there by default. Yes! we can change it. You need to configure what you want to allow on your policy-map(sdm-permit). It can be either "Inspect" or "Pass" when using ACL to match traffic you want. Keep in mind when using a "PASS" keyword you then need to allow from self to Outside zone as well. That's why we prefer "Inspect" as we did before.
HTH,
Toshi
03-24-2009 01:02 AM
Hi Toshi,
Should i then also alter the next;
class-map type inspect match-any access-to-router
match class-map SSH
policy-map type inspect sdm-permit
class type inspect access-to-router
inspect
class class-default
it is not clear to me what to configure.
11-10-2010 07:56 AM
Hi All
I had exactly the same issue with enabling just SSH accesss to the router for remote control.
Only passing ssh traffic worked, inspecting would not work at all ...because of the following error :
%Protocol ssh configured in class-map classSSH cannot be configured for the self zone. Please remove the protocol and retry
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide