12-04-2012 02:28 PM - edited 03-11-2019 05:32 PM
Well I thought I had zone-based firewall figured out for using SSH to manage routers, but apparently not
Put simply, when I try to SSH from one router to another, my SSH session gets through the firewall but cannot come back, due to the firewall .
I have this configured on a live production Internet gateway router as well as a pair of routers in a lab, the results are the same in all cases.
The details:
Two zones here - self zone and the outside zone. Outside zone is bound to the WAN interface.
Zone pairs are - SELF-OUT and OUT-SELF.
Relevant class maps are as follows:
Class Map type inspect match-all SSH-FROM-ROUTER (id 4)
Match protocol ssh
Match access-group name SSH-FROM-ROUTER
Class Map type inspect match-all SSH-TO-ROUTER (id 3)
Match protocol ssh
Match access-group name SSH-TO-ROUTER
FYI, I am only using those two class maps, one per zone-pair direction. There are no other class maps in use for out to self or self to out.
The ip access lists (named the same as my class maps for ease of reference during a long sh run) are as follows:
Extended IP access list SSH-TO-ROUTER
10 permit tcp xx.xx.0.0 0.255.255.255 any eq 22
11 permit tcp xx.xx.0.0 0.7.255.255 any eq 22
12 permit tcp xx.xx.0.0 0.255.255.255 any eq 22
20 permit tcp host <ip address> any eq 22
21 permit tcp host <ip address> any eq 22
22 permit tcp host <ip address> any eq 22
23 permit tcp host <ip address> any eq 22
24 permit tcp host <ip address> any eq 22
40 deny tcp any any eq 22
SSH-TO-ROUTER has no trouble, SSH passes through it.
Here is the ip access-list coming from self to out:
Extended IP access list SSH-FROM-ROUTER
9 permit ip any any
10 permit tcp any any
I added the "9 permit" entry just for testing so by default all I had was the "10 permit" entry.
Just for reference, here are the policy maps:
Router#sh policy-map type inspect
Policy Map type inspect OUT-SELF
Class SSH-TO-ROUTER
Pass log
Class class-default
Drop log
Policy Map type inspect SELF-OUT
Class SSH-FROM-ROUTER
Pass log
Class class-default
Drop log
The result when I try to SSH from a router with no firewall, to this router, is as follows:
000089: *Dec 4 2012 18:14:28.337 PCTime: %FW-6-PASS_PKT: (target:class)-(OUT-SE
LF:SSH-TO-ROUTER) Passing ssh pkt <ip address>:28130 => <ip address>:22 with ip ident 0
000090: *Dec 4 2012 18:14:28.337 PCTime: %FW-6-DROP_PKT: Dropping tcp session <ip address>:22 <ip address>:28130 on zone-pair SELF-OUT class class-default due to DROP action found in policy-map with ip ident 0
Router#
So from what little I understand of zone firewall so far, I do know that the reason class-default is dropping the packet is apparently because the packet is not matching all of the criteria specified in the SSH-FROM-ROUTER class map which is bound to the SELF-OUT policy map.
Update: As I write this post, I tried changing the clss map SSH-FROM-ROUTER to be a match-any instead of match-all. SSH then worked. I changed it back to match-all, and it again stopped working.
My guess is that it is matching protocol ssh in the match-any thing, which if so means my access-list is invalid? Can permit ip any any plus a permit tcp any any for good meaure not be something that the packet would match? I'm totally lost on that one.
Can anybody help?
12-05-2012 12:37 AM
Hi,
It's not matching the match protocol ssh because ssh traffic is tcp traffic destined to port 22.
just change your zbf config like this:
-leave only only zone-pair OUT-SELF
-change this
Policy Map type inspect OUT-SELF
Class SSH-TO-ROUTER
Pass log -----> inspect
Class class-default
Drop log
-delete the policy-maps and class-maps for the self-to-out policy
Regards.
Alain
Don't forget to rate helpful posts.
12-05-2012 07:05 AM
He we meet again
By the way, is your first name cadet, or are you say a cadet in the air force or something? Usually Alain is a first name which is why I ask. Just want to be able to address you correctly or if you prefer the full cadet alain, no problem.
I have questions and concerns over your reply.
First, the questions:
I thought you could not have application inspection (Inspect) when involving the self zone? Or was that only with self as the initiator of a packet or something? I recall having to deal with this with Cisco TAC security team more than once, and the only working solution had been to hvaec pass (or pass log).
But let's say OUT-SELF uses inspect - ok. But if I remove SELF-OUT thus leaving the door wide open for anyhthing to be sent from the router, will the router send anything out that would be considered a security breach? I have no cdp run set, and there are no routing protocols enabled since this is a lone gateway router but is there anything else?
Thanks!
12-05-2012 11:34 AM
Hi,
in fact in the region I'm living you always begin with last name then first name, so you can call me Alain.
So for inspect and self zone, I've done it several times and I don't remember there were any caveat.
anything not ssh will meet class-default which has a drop log so you won't have any other access to the router, now of course traffic from self to out will be permitted but I don't think this would cause a big problem because the biggest threat is from out to self not from self to out( at least that's my opinion)
Regards.
Alain
Don't forget to rate helpful posts.
12-05-2012 11:48 AM
I susppose the only concern I really had with removing SELF-OUT was if the router automatically sends anything outbound, like a route update for lack of a better example (though again I'm not using routing protocols and if I were I'd set passive-interface on the int anyway)
Alright well I'll set OUT-SELF to inspect and remove SELF-OUT and see how things go. I'll post back and mark answer correct etc. once I've done that.
12-05-2012 11:56 AM
well no luck, here's what I get when I edit the policy map for OUT-SELF to change from pass log to inspect:
Router(config-pmap-c)#inspect
%Protocol configured in class-map SSH-TO-ROUTER cannot be configured for the self zone with inspect action. Please remove the protocol and retry
It had been a while since I'd seen the error or I'd have mentioned it earlier. So, the only solution I guess is to remove the match protocol ssh line from the class map, leaving only the ACL granting specific IP/IP ranges access via eq 22. ?
12-06-2012 01:27 AM
Hi,
yep in that case this is easiest solution, but really I had no reminding of this fact.
Regards.
Alain
Don't forget to rate helpful posts.
12-10-2012 09:17 PM
Yep, this seems to be the only working solution, to remove match protocol ssh and use only an ACL to allow certain IP's to port 22 on the router, from the Internet.
Thanks Alain!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide