02-10-2012 05:27 AM - edited 03-11-2019 03:27 PM
Hi
I have setup a zone based firewall, natted an internal ssh server on port 2222 and configured class-maps and policy-maps for the out-zone to the in-zone. Wireshark on the ssh server is showing traffic getting through, but no return traffic is making it back through the firewall to the client. I've slowly been adding more bits to the class-maps which have had no effect, so the config is likely to be a little messy. If anyone can see why this isn't working I'd appreciate the help
Thanks
Cammy
Building configuration...
Current configuration : 13357 bytes
!
version 12.4
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 871w
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret <removed>
!
aaa new-model
!
!
aaa authentication login local_authen local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-2934918463
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2934918463
revocation-check none
rsakeypair TP-self-signed-2934918463
!
!
crypto pki certificate chain TP-self-signed-2934918463
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32393334 39313834 3633301E 170D3039 30313330 31323131
33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39333439
31383436 3330819F 300D0609 2A864886 65ABF121 01050003 818D0030 81890281
8100A905 A0A4BE89 C492B44E 9354BDD4 259127F7 4BE1ECEC F808AC30 25660BB2
E16C89AF C8DCFE53 AC441139 58D703A2 E6890890 F39337F7 968941FE E422C89F
7AE82BC7 53BC88C0 D6BE3271 E92AF382 52EF5768 E9D35FFB 6CAAE50F CA03E823
DADD5928 5003E4DA 5BCC3A3B 1A6C6C63 9029A9BB E8E5007C 3DAECD80 30ECEB08
4D0B0203 010001A3 64306230 0F060355 1D130101 FF040530 030101FF 300F0603
551D1104 08300682 04383731 77301F06 03551D23 04183016 8014CAEC 27AE1F12
F6AE0E41 B83B5FE1 C94905B7 1227301D 0603551D 0E041604 14CAEC27 AE1F12F6
AE0E41B8 3B5FE1C9 4905B712 27300D06 092A8648 86F70D01 01040500 03818100
1874906D 56D675FE 493172DF 8C4C2BD8 B70543FA 18F80343 E676C6C3 AC9EEFEE
E6EFA236 C6E4ECC1 CD42D0F6 7AA023FB 8BDA6599 9FA4269C D3E7797A A70E7F0C
F60DFA07 F07FBF02 E8E19F90 54F6CFDA 593E8A61 005E0342 FC30791B D54AA103
99DE7CB7 53652037 1976C36B D456136C 2A35365F 30E6D0B2 6AEDC909 885DD2BE
quit
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.50.1
!
ip dhcp pool 192.168.50.0/24
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 192.168.1.100 4.2.2.2
!
!
ip cef
ip domain name admin.local
ip name-server 192.168.1.100
ip name-server 4.2.2.2
ip port-map user-ssh2222 port tcp 2222 description ssh2222
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
!
!
username admin privilege 15 secret <removed>
!
!
!
archive
log config
hidekeys
!
!
!
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any AllowInbound
description externally visible ports
match protocol user-ssh2222
match protocol ssh
match access-group name internalservers
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect pol-out-to-in
class type inspect AllowInbound
pass
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security zp-out-to-in source out-zone destination in-zone
description traffic from outside to inside
service-policy type inspect pol-out-to-in
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address 192.168.1.120 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.100 permanent
no ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source static tcp 192.168.50.2 2222 interface FastEthernet4 2222
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.50.5 22 interface FastEthernet4 22
!
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended internalservers
remark inbound traffic to servers
permit ip any host 192.168.50.2
permit ip any host 192.168.50.5
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
!
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
login authentication local_authen
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end
02-10-2012 09:22 AM
Hello Cammy,
Please change the following and give it a try:
policy-map type inspect pol-out-to-in
class type inspect AllowInbound
no pass
inspect
Regards,
Julio
Rate all helpful posts!!
02-12-2012 02:36 AM
Hi Julio
Thanks. I had deleted and remade a new config from scratch and it started working. I wasn't 100% sure why until I read your reply.
So, is it the case that "inspect" keeps the port open for returning traffic, but "pass" just lets it through?
Many thanks
Cammy
02-12-2012 05:44 PM
Hello Cammy,
That is correct, that is what you had to do.
If you had a pass rule you also need to have it for the returning traffic on the other zone
Please mark the question as answered so future users can learn from your posts.
Regards,
Julio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: