IOS Zone firewall (ZFW) & changing SSH listening port
I'll have to check into the deetails again but I recall there being a way to change the listening port for SSH. Not only do you have to configure SSH itself to listen on a new port but I think there was something about making the inbound interface part of a rotary group or something.
Anyway, my question is more about how the zone firewall reacts to this. If I have inspect set for SSH, (or pass) and yet change the default port for it, does the IOS still know to take the configured action on the protocol? I'll try to test this myself once I have an opportunity but may not be able to for several days, plus if anybody has anything further to add regarding any other implications this port change mgiht have, please share
You are ever helpful sir Howver, things are not making sense.
Ok so to take it from the top. So far I have done the following:
Router(config)#ip ssh port 2340 rotary 1
Router(config)#line vty 0 123 (123 = max # of vty lines, my actual # is different)
This of course does not make SSH on port 2340 work from the Internet zone to Self as I have not yet modified the firewall nor done the ip port-map command. It does work from the LAN side to Self since that zone-pair is more forgiving, however, it works on both 22 and 2340 which I thought odd since I thought the ip ssh command changes the SSH server listening port.
I have not yet permanently set the ip port-map command. However I ran it once and then did a sh ip port-map ssh
This showed system defined ssh port maps for tcp and udp on 22, and then my user defined one for tcp port 2340. Interesting that the system-defined ones are both UDP and TCP - I thought SSH was TCP only.
According to the IOS command referendces (for release 15.2), I should not be able to remove the system-defined port map entries as it would give an error. However, I did no ip port-map ssh port tcp 22 and the same for the UDP entry and they disappeared - so now for sh ip port-map ssh I get no results returned. Yet, SSH still works on 22 and 2340.
Be that as it may, after some further testing I've concluded that with or without use of the ip port-map ssh port tcp 2340 entry, SSH works (from LAN to Self) on either port 22 or 2340. It seems ip port-map has no effect on the SSH server itself (?). Or perhaps PAM is overridden by the ip ssh commands?
So at that point I decided to stop testing, not doing anything with firewall yet, until I understand things better. So far, the IOS is very confusing in it's behavior.
Changing the SSH server's listening port via ip ssh command to something other than 22 seems to not actually change anything, it just adds that port in addition to 22.
Port-application mapping appears to have no effect on the SSH server (I have not tested whether ip ssh overrides PAM or vice versa)
So far there seems to be no way to actually change port 22 usage - even "deleting" the PAM entry for ssh via 22 has no effect.
Well, big posts often get little replies I should know better. Anyway, nothing ha changed excep two things:
1. PAM, or port-application mapping, only applies to traffic passing through the router, not TO or FROM the router.
2. This changing of listening ports is not worth the trouble so I stayed iwth port 22, set inbound ACLs and will revisit this subject in a year or two when I have a stronger understanding of the way IOS works (and doesn't work, as time is proving to me). Based on my results shown in my last post, either I don't understand enough about this stuff or the IOS i buggy in this regard.
Are you responsible for risk management, compliance management and auditing of a network?
If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ...
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari...
Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ...
A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se...
How To: Cisco ISE Captive Portals with Aruba Wireless
Authors: Adam Hollifield, Brad Johnson
IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi...