Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
514
Views
0
Helpful
3
Replies

traffic getting in but not back out

Cameron Webster
Level 1
Level 1

‎02-10-2012 05:27 AM - edited ‎03-11-2019 03:27 PM

Hi

I have setup a zone based firewall, natted an internal ssh server on port 2222 and configured class-maps and policy-maps for the out-zone to the in-zone.  Wireshark on the ssh server is showing traffic getting through, but no return traffic is making it back through the firewall to the client.  I've slowly been adding more bits to the class-maps which have had no effect, so the config is likely to be a little messy.  If anyone can see why this isn't working I'd appreciate the help

Thanks

Cammy


Building configuration...

Current configuration : 13357 bytes
!
version 12.4
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 871w
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret <removed>
!
aaa new-model
!
!
aaa authentication login local_authen local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-2934918463
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2934918463
revocation-check none
rsakeypair TP-self-signed-2934918463
!
!
crypto pki certificate chain TP-self-signed-2934918463
certificate self-signed 01
  3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32393334 39313834 3633301E 170D3039 30313330 31323131
  33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39333439
  31383436 3330819F 300D0609 2A864886 65ABF121 01050003 818D0030 81890281
  8100A905 A0A4BE89 C492B44E 9354BDD4 259127F7 4BE1ECEC F808AC30 25660BB2
  E16C89AF C8DCFE53 AC441139 58D703A2 E6890890 F39337F7 968941FE E422C89F
  7AE82BC7 53BC88C0 D6BE3271 E92AF382 52EF5768 E9D35FFB 6CAAE50F CA03E823
  DADD5928 5003E4DA 5BCC3A3B 1A6C6C63 9029A9BB E8E5007C 3DAECD80 30ECEB08
  4D0B0203 010001A3 64306230 0F060355 1D130101 FF040530 030101FF 300F0603
  551D1104 08300682 04383731 77301F06 03551D23 04183016 8014CAEC 27AE1F12
  F6AE0E41 B83B5FE1 C94905B7 1227301D 0603551D 0E041604 14CAEC27 AE1F12F6
  AE0E41B8 3B5FE1C9 4905B712 27300D06 092A8648 86F70D01 01040500 03818100
  1874906D 56D675FE 493172DF 8C4C2BD8 B70543FA 18F80343 E676C6C3 AC9EEFEE
  E6EFA236 C6E4ECC1 CD42D0F6 7AA023FB 8BDA6599 9FA4269C D3E7797A A70E7F0C
  F60DFA07 F07FBF02 E8E19F90 54F6CFDA 593E8A61 005E0342 FC30791B D54AA103
  99DE7CB7 53652037 1976C36B D456136C 2A35365F 30E6D0B2 6AEDC909 885DD2BE
   quit
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.50.1
!
ip dhcp pool 192.168.50.0/24
   network 192.168.50.0 255.255.255.0
   default-router 192.168.50.1
   dns-server 192.168.1.100 4.2.2.2
!
!
ip cef
ip domain name admin.local
ip name-server 192.168.1.100
ip name-server 4.2.2.2
ip port-map user-ssh2222 port tcp 2222 description ssh2222
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

!
!
username admin privilege 15 secret <removed>
!
!
!
archive
log config
  hidekeys
!
!
!
class-map type inspect imap match-any ccp-app-imap
match  invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any AllowInbound
description externally visible ports
match protocol user-ssh2222
match protocol ssh
match access-group name internalservers
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match  file-transfer
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match  service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match  service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match  service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect pop3 match-any ccp-app-pop3
match  invalid-command
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match  file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match  service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match  service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match  request method bcopy
match  request method bdelete
match  request method bmove
match  request method bpropfind
match  request method bproppatch
match  request method connect
match  request method copy
match  request method delete
match  request method edit
match  request method getattribute
match  request method getattributenames
match  request method getproperties
match  request method index
match  request method lock
match  request method mkcol
match  request method mkdir
match  request method move
match  request method notify
match  request method options
match  request method poll
match  request method propfind
match  request method proppatch
match  request method put
match  request method revadd
match  request method revlabel
match  request method revlog
match  request method revnum
match  request method save
match  request method search
match  request method setattribute
match  request method startrev
match  request method stoprev
match  request method subscribe
match  request method trace
match  request method unedit
match  request method unlock
match  request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match  file-transfer
match  text-chat
match  search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match  request port-misuse im
match  request port-misuse p2p
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match  file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match  service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match  search-file-name
match  text-chat
class-map type inspect fasttrack match-any ccp-app-fasttrack
match  file-transfer
class-map type inspect http match-any ccp-http-allowparam
match  request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
  log
  allow
class type inspect edonkey ccp-app-edonkeydownload
  log
  allow
class type inspect fasttrack ccp-app-fasttrack
  log
  allow
class type inspect gnutella ccp-app-gnutella
  log
  allow
class type inspect kazaa2 ccp-app-kazaa2
  log
  allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
  log
  allow
class type inspect msnmsgr ccp-app-msn
  log
  allow
class type inspect ymsgr ccp-app-yahoo
  log
  allow
class type inspect aol ccp-app-aol-otherservices
  log
  reset
class type inspect msnmsgr ccp-app-msn-otherservices
  log
  reset
class type inspect ymsgr ccp-app-yahoo-otherservices
  log
  reset
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
  log
  reset
class type inspect http ccp-app-httpmethods
  log
  reset
class type inspect http ccp-http-allowparam
  log
  allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
  log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
  log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
  service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
  inspect
  service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
  inspect
  service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
  inspect
  service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
  inspect
  service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
class class-default
  drop
policy-map type inspect pol-out-to-in
class type inspect AllowInbound
  pass
class class-default
  drop
policy-map type inspect ccp-permit
class class-default
  drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security zp-out-to-in source out-zone destination in-zone
description traffic from outside to inside
service-policy type inspect pol-out-to-in
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address 192.168.1.120 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.100 permanent
no ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source static tcp 192.168.50.2 2222 interface FastEthernet4 2222
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.50.5 22 interface FastEthernet4 22
!
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended internalservers
remark inbound traffic to servers
permit ip any host 192.168.50.2
permit ip any host 192.168.50.5
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
!
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
login authentication local_authen
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎02-10-2012 09:22 AM

Hello Cammy,

Please change the following and give it a try:

policy-map type inspect pol-out-to-in

class type inspect AllowInbound

no  pass

inspect

Regards,

Julio

Rate all helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Cameron Webster
Level 1
Level 1
In response to Julio Carvajal

‎02-12-2012 02:36 AM

Hi Julio

Thanks.  I had deleted and remade a new config from scratch and it started working.  I wasn't 100% sure why until I read your reply.

So, is it the case that "inspect" keeps the port open for returning traffic, but "pass" just lets it through?

Many thanks

Cammy

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Cameron Webster

‎02-12-2012 05:44 PM

Hello Cammy,

That is correct, that is what you had to do.

If you had a pass rule you also need to have it for the returning traffic on the other zone

Please mark the question as answered so future users can learn from your posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card