04-26-2011 12:35 AM - edited 03-11-2019 01:25 PM
Hi.
I want the inside of my network to be allowed to do anything and the firewall to open up ports reflexive when the traffic goes out.
If i want to use ssh to an external IP address i have to put in the following:
ip access-list extended STANDARD_IN_PERMIT
permit tcp any eq 22 any
Without this it wont work, below is a part of my running config
class-map type inspect match-any STANDARD
match protocol http
match protocol https
match protocol pop3
match protocol pop3s
match protocol imap
match protocol imaps
match protocol smtp
match protocol ssh
ip access-list extended STANDARD_IN_PERMIT
permit tcp any host 192.168.98.63 eq www
permit tcp any host 192.168.98.63 eq 443
permit tcp any host 192.168.98.53 eq www
permit tcp any host 192.168.98.53 eq 666
permit tcp any host 192.168.98.52 eq 22
permit tcp any host 192.168.98.52 eq smtp
permit tcp any host 192.168.98.52 eq www
permit tcp any host 192.168.98.52 eq 143
permit tcp any host 192.168.98.52 eq 10000
permit tcp any host 192.168.98.52 eq 20000
permit tcp any host 192.168.98.61 eq 22
permit tcp any host 192.168.98.61 eq www
permit tcp any host 192.168.98.61 eq domain
permit tcp any host 192.168.98.61 eq 10000
permit tcp any host 192.168.98.2 eq 443
permit tcp any host 192.168.98.2 eq 987
permit tcp any host 192.168.98.2 eq smtp
permit tcp any host 192.168.98.50 eq 9101
permit tcp any host 192.168.98.50 eq 9102
permit tcp any host 192.168.98.50 eq 9103
permit tcp any host 10.10.20.10 eq 443
permit tcp any host 10.10.20.10 eq 587
permit tcp any host 10.10.20.10 eq smtp
permit udp any host 10.10.20.10 eq 443
permit udp any host 10.10.20.10 eq 25
permit tcp any host 192.168.98.146 eq 873
permit tcp any host 192.168.98.210 eq 587
permit tcp any host 192.168.98.210 eq smtp
permit tcp any host 192.168.98.210 eq www
ip access-list extended STANDARD_OUT_PERMIT
permit ip any any
policy-map type inspect STANDARD
class type inspect STANDARD
inspect
class type inspect STANDARD_OUT_PERMIT
pass
class class-default
drop
policy-map type inspect STANDARD_IN
class type inspect STANDARD_IN_PERMIT
pass
class class-default
drop
zone security WAN_ZONE
zone security VLAN1_ZONE
zone-pair security WAN_TO_VLAN1 source WAN_ZONE destination VLAN1_ZONE
service-policy type inspect STANDARD_IN
zone-pair security VLAN1_TO_WAN source VLAN1_ZONE destination WAN_ZONE
service-policy type inspect STANDARD
Solved! Go to Solution.
04-26-2011 02:20 AM
The action for class-map "STANDARD_OUT_PERMIT" should be "inspect" not "pass".
Pass will only allow traffic to pass in 1 direction.
Inspect will inspect the traffic in one direction and allow the return traffic from the same session to pass through.
04-26-2011 05:11 PM
Same goes for "STANDARD_IN_PERMIT" class-map, the action should also be "inspect" instead of "pass" as pass will only allow it in one direction, not the return traffic.
04-26-2011 02:20 AM
The action for class-map "STANDARD_OUT_PERMIT" should be "inspect" not "pass".
Pass will only allow traffic to pass in 1 direction.
Inspect will inspect the traffic in one direction and allow the return traffic from the same session to pass through.
04-26-2011 02:55 AM
What does :class-map type inspect match-any STANDARD
match protocol ssh
do then?
I thought this was for outgoing traffic to open up a path back to the host.
04-26-2011 05:17 AM
Actually, yes, you are right. But why do you create 2 class-map? In any case, the second class-map should really have the action as "inspect" anyway, not "pass"
04-26-2011 05:32 AM
I created the second class map due to that the first does not have the options to match all protocols that i want to, for example remote desktop protocol on port 3389. Either way, the traffic is supposed to use the first Class map and match on protocol ssh witch then should allow the packet and open a path back to the host, why is this not accomplished?
Regards Tommy Svensson
04-26-2011 05:39 AM
When did you add the match protocol ssh? Have you added that after you tried to pass the SSH traffic through? and it could have matched the second class-map first, hence it's not working.
We need to troubleshoot this further, without any data, I won't be able to tell you why it's not matching the first class-map.
Can you clear all the connection and see if it matches the SSH class map?
Also check the output of "show policy-map type inspect zone-pair" and "show policy-map type inspect zone session"
04-26-2011 07:29 AM
Hello again, your tip is working fine, just one issue.
When i change the
class type inspect STANDARD_OUT_PERMIT
pass
to
class type inspect STANDARD_OUT_PERMIT
inspect
the site on
ip nat inside source static tcp 192.168.98.53 80 212.181.79.196 80 extendable
stops working. It can not be accessible externally any more. One other thing is that remote desktop into the network isnt working niether with this setup. All other works well as of now so its just these issues.
Regards Tommy Svensson
04-26-2011 05:11 PM
Same goes for "STANDARD_IN_PERMIT" class-map, the action should also be "inspect" instead of "pass" as pass will only allow it in one direction, not the return traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide