Showing results for 
Search instead for 
Did you mean: 


SSH sessiion initiation: IOS firewall blocking return traffic

Well I thought I had zone-based firewall figured out for using SSH to manage routers, but apparently not

Put simply, when I try to SSH from one router to another, my SSH session gets through the firewall but cannot come back, due to the firewall .

I have this configured on a live production Internet gateway router as well as a pair of routers in a lab, the results are the same in all cases. 

The details:

Two zones here - self zone and the outside zone.  Outside zone is bound to the WAN interface. 

Zone pairs are - SELF-OUT and OUT-SELF. 

Relevant class maps are as follows:

Class Map type inspect match-all SSH-FROM-ROUTER (id 4)
   Match protocol  ssh
   Match access-group name  SSH-FROM-ROUTER

Class Map type inspect match-all SSH-TO-ROUTER (id 3)
   Match protocol  ssh
   Match access-group name  SSH-TO-ROUTER

FYI, I am only using those two class maps, one per zone-pair direction.  There are no other class maps in use for out to self or self to out. 

The ip access lists (named the same as my class maps for ease of reference during a long sh run) are as follows:

Extended IP access list SSH-TO-ROUTER

    10 permit tcp xx.xx.0.0 any eq 22

    11 permit tcp xx.xx.0.0 any eq 22

    12 permit tcp xx.xx.0.0 any eq 22

    20 permit tcp host <ip address> any eq 22

    21 permit tcp host <ip address> any eq 22

    22 permit tcp host <ip address> any eq 22

    23 permit tcp host <ip address> any eq 22

    24 permit tcp host <ip address> any eq 22

    40 deny tcp any any eq 22

SSH-TO-ROUTER has no trouble, SSH passes through it. 

Here is the ip access-list coming from self to out:

Extended IP access list SSH-FROM-ROUTER

    9 permit ip any any

    10 permit tcp any any

I added the "9 permit" entry just for testing so by default all I had was the "10 permit" entry. 

Just for reference, here are the policy maps:

Router#sh policy-map type inspect
  Policy Map type inspect OUT-SELF
      Pass log
    Class class-default
      Drop log

  Policy Map type inspect SELF-OUT
      Pass log
    Class class-default
      Drop log

The result when I try to SSH from a router with no firewall, to this router, is as follows:

000089: *Dec  4 2012 18:14:28.337 PCTime: %FW-6-PASS_PKT: (target:class)-(OUT-SE

LF:SSH-TO-ROUTER) Passing ssh pkt <ip address>:28130 => <ip address>:22 with ip ident 0

000090: *Dec  4 2012 18:14:28.337 PCTime: %FW-6-DROP_PKT: Dropping tcp session <ip address>:22 <ip address>:28130 on zone-pair SELF-OUT class class-default due to  DROP action found in policy-map with ip ident 0


So from what little I understand of zone firewall so far, I do know that the reason class-default is dropping the packet is apparently because the packet is not matching all of the criteria specified in the SSH-FROM-ROUTER class map which is bound to the SELF-OUT policy map. 

Update:  As I write this post, I tried changing the clss map SSH-FROM-ROUTER to be a match-any instead of match-all.  SSH then worked.  I changed it back to match-all, and it again stopped working. 

My guess is that it is matching protocol ssh in the match-any thing, which if so means my access-list is invalid?  Can permit ip any any plus a permit tcp any any for good meaure not be something that the packet would match?  I'm totally lost on that one. 

Can anybody help? 

cadet alain


It's not matching the match protocol ssh because ssh traffic is tcp traffic destined to port 22.

just change your zbf config like this:

-leave only  only zone-pair OUT-SELF

-change this

Policy Map type inspect OUT-SELF


      Pass log -----> inspect

    Class class-default

      Drop log

-delete the policy-maps and class-maps for the self-to-out policy



Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

He we meet again

By the way, is your first name cadet, or are you say a cadet in the air force or something?  Usually Alain is a first name which is why I ask.  Just want to be able to address you correctly or if you prefer the full cadet alain, no problem. 

I have questions and concerns over your reply. 

First, the questions:

I thought you could not have application inspection (Inspect) when involving the self zone?  Or was that only with self as the initiator of a packet or something?  I recall having to deal with this with Cisco TAC security team more than once, and the only working solution had been to hvaec pass (or pass log). 

But let's say OUT-SELF uses inspect - ok.  But if I remove SELF-OUT thus leaving the door wide open for anyhthing to be sent from the router, will the router send anything out that would be considered a security breach?  I have no cdp run set, and there are no routing protocols enabled since this is a lone gateway router but is there anything else? 



in fact in the region I'm living you always begin with last name then first name, so you can call me Alain.

So for inspect and self zone, I've done it several times and I don't remember there were any caveat.

anything not ssh will meet class-default which has a drop log so you won't have any other access to the router, now of course traffic from self to out will be permitted but I don't think this would cause a big problem because the biggest threat is from out to self not from self to out( at least that's my opinion)



Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

I susppose the only concern I really had with removing SELF-OUT was if the router automatically sends anything outbound, like a route update for lack of a better example (though again I'm not using routing protocols and if I were I'd set passive-interface on the int anyway)

Alright well I'll set OUT-SELF to inspect and remove SELF-OUT and see how things go.  I'll post back and mark answer correct etc. once I've done that. 

well no luck, here's what I get when I edit the policy map for OUT-SELF to change from pass log to inspect:


%Protocol configured in class-map SSH-TO-ROUTER cannot be configured for the self zone with inspect action. Please remove the protocol and retry

It had been a while since I'd seen the error or I'd have mentioned it earlier.  So, the only solution I guess is to remove the match protocol ssh line from the class map, leaving only the ACL granting specific IP/IP ranges access via eq 22.  ? 


yep in that case this is easiest solution, but really I had no reminding of this fact.



Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Yep, this seems to be the only working solution, to remove match protocol ssh and use only an ACL to allow certain IP's to port 22 on the router, from the Internet. 

Thanks Alain! 

Recognize Your Peers
Content for Community-Ad