Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1388
Views
0
Helpful
3
Replies

IOS Zone firewall (ZFW) & changing SSH listening port

cluovpemb
Level 1
Level 1

‎11-13-2012 08:30 AM - edited ‎03-11-2019 05:22 PM

I'll have to check into the deetails again but I recall there being a way to change the listening port for SSH.  Not only do you have to configure SSH itself to listen on a new port but I think there was something about making the inbound interface part of a rotary group or something. 

Anyway, my question is more about how the zone firewall reacts to this.  If I have inspect set for SSH, (or pass) and yet change the default port for it, does the IOS still know to take the configured action on the protocol?  I'll try to test this myself once I have an opportunity but may not be able to for several days, plus if anybody has anything further to add regarding any other implications this port change mgiht have, please share

Thanks! 

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎11-13-2012 11:46 AM

Hello Colin,

In order to use this kind of scenarios on the ZBFW you will need to let the ZBFW know that a connection to a particular port needs to be inspected as "X" protocol ( Just what you explained already )

Now how to make it happen:

In our scenario we will receive traffic over port TCP 2340 for SSH and we would like to inspect that as that,

ip port-map ssh port tcp 2340

So then just create a class-map ( match traffic to that TCP port and inside the policy-map that makes reference to that class-map inspected )

Hope I could help,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

cluovpemb
Level 1
Level 1
In response to Julio Carvajal

‎11-14-2012 09:58 AM

Hi Julio,

You are ever helpful sir Howver, things are not making sense.

Ok so to take it from the top. So far I have done the following:

Router(config)#ip ssh port 2340 rotary 1

Then:

Router(config)#line vty 0 123 (123 = max # of vty lines, my actual # is different)

Router(config-line)#rotary 1

This of course does not make SSH on port 2340 work from the Internet zone to Self as I have not yet modified the firewall nor done the ip port-map command. It does work from the LAN side to Self since that zone-pair is more forgiving, however, it works on both 22 and 2340 which I thought odd since I thought the ip ssh command changes the SSH server listening port.

I have not yet permanently set the ip port-map command. However I ran it once and then did a sh ip port-map ssh

This showed system defined ssh port maps for tcp and udp on 22, and then my user defined one for tcp port 2340. Interesting that the system-defined ones are both UDP and TCP - I thought SSH was TCP only.

According to the IOS command referendces (for release 15.2), I should not be able to remove the system-defined port map entries as it would give an error. However, I did no ip port-map ssh port tcp 22 and the same for the UDP entry and they disappeared - so now for sh ip port-map ssh I get no results returned. Yet, SSH still works on 22 and 2340.

Be that as it may, after some further testing I've concluded that with or without use of the ip port-map ssh port tcp 2340 entry, SSH works (from LAN to Self) on either port 22 or 2340. It seems ip port-map has no effect on the SSH server itself (?). Or perhaps PAM is overridden by the ip ssh commands?

So at that point I decided to stop testing, not doing anything with firewall yet, until I understand things better. So far, the IOS is very confusing in it's behavior.

  1. Changing the SSH server's listening port via ip ssh command to something other than 22 seems to not actually change anything, it just adds that port in addition to 22.
  2. Port-application mapping appears to have no effect on the SSH server (I have not tested whether ip ssh overrides PAM or vice versa)
  3. So far there seems to be no way to actually change port 22 usage - even "deleting" the PAM entry for ssh via 22 has no effect.

Confusing!

0 Helpful

cluovpemb
Level 1
Level 1
In response to cluovpemb

‎12-14-2012 08:05 AM

Well, big posts often get little replies I should know better.  Anyway, nothing ha changed excep two things:

1.  PAM, or port-application mapping, only applies to traffic passing through the router, not TO or FROM the router. 

2.  This changing of listening ports is not worth the trouble so I stayed iwth port 22, set inbound ACLs and will revisit this subject in a year or two when I have a stronger understanding of the way IOS works (and doesn't work, as time is proving to me).  Based on my results shown in my last post, either I don't understand enough about this stuff or the IOS i buggy in this regard. 

So, until next time

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card