Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
669
Views
0
Helpful
2
Replies

IOS Firewall question: protocol inspection

cluovpemb
Level 1
Level 1

‎12-10-2012 09:23 PM - edited ‎03-11-2019 05:35 PM

Hi all.  Recently I came to learn through trying to configure my 891 router that when configuring the zone-baesd firewall to protect SSH access to the router from the Internet, you cannot use match protocol ssh in the class map and apply an inspect action to this via the corresponding policy map.  Application-level inspection is not supported when involving the Self zone of the firewall. 

Yet if I simply set an access list, allowing port 22 to the router, and applying inspect to that, it works fine. 

My question is what is the difference between "match protocol ssh" and an access that is called via the match access-group name XYZ access list? 

Can't find this one in the Cisco docs I've read to date, and based on that something tells me this topic isn't going to be easy to research so I hope somebody has come across this query before. 

Thank you! 

Labels:
0 Helpful
2 Replies 2

julomban
Level 3
Level 3

‎12-11-2012 07:35 AM

Hello Colin,

This problem you are dealing with it's a bug and not exactly a difference between match protocol and access list.

This issue is seen if class-map in the policy-map uses match protocol  and the protocol is not in the list of supported protocol for self-zone.  This issue is seen even with pass action.

In other words; it is a bug and not a difference between match protocol and access list.

Regards,

Juan Lombana

Please rate helpful posts.

0 Helpful

Henrik Grankvist
Level 4
Level 4

‎12-12-2012 08:39 AM

Hi!

The difference between matching the protocol vs matching the protocol using an ACL is that when using the "match protocol ssh" you are using Network Based Application Recognition (NBAR), which is a application recognition mechanism. And when you are using the ACL you are simply matching the port-number (22).

So using NBAR is much more safer, because it mitigates attacks where you use a protocol on a different port than it was designed to use. But it is what it is, you can't use protocol inspection when the traffic is destined for the self zone (except for TCP, UDP, ICMP) and for your information and for julomban's information, it's not a bug.

Hope that helps

A very good way to find out more about ZFW:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card