Re: Unable to access 1811w router from the Internet

kietung888 · ‎05-05-2010

I am having an unusual issue. I think I set up the zone security correctly to permit any IP from the out-zone to connect to the router via SSH and HTTPS, but my connections from the out-zone just time out. The relevant portions of the config is attached. Please help, I have been banging my head on the wall regarding this for some time now. Thanks.

Panos Kampanakis · ‎05-05-2010

Your out to self zone pair seems to be inspecting tcp ports 22 and 443, so it all looks fine!

I am not sure why it is failing.

Maybe no self signed cert on the router?

You can also enable "ip inspect log drop" and check the logs to see if ZBF is for some reason dropping your TCP conn attempts.

I hope it helps you move forward.

PK

kietung888 · ‎05-05-2010

Thanks for looking at the config. Did some more testing and even when I remove the interface from the zones and used the traditional acl based method of inspection, it still did not work. I used the following:

ip inspect test01

inspect tcp

inspect udp

inspect icmp

ip access-list ext test02 permit tcp any any eq 22

ip access-list ext test02 permit tcp any any eq 443

int fa0

ip nat outside

ip access-group test02 in

ip inspect test01 out

int bvi1

ip nat inside

I even tried opening everything from out-zone to self and it didn't work as well. Even tried upgrading the IOS to the 15 line. I could SSH and SSL VPN to the router from inside so I do not think it is an issue with the certificate.

Pretty sure the problem is not with the circuit. We upgraded to business class cable modem and even when I connected a laptop directly to the outside interface of the router, I was still not able to connect. Has anyone seen this before? Could it be defective hardware?

astripat · ‎05-05-2010

Hi,

If you want to manage the router using ssh/telnet/http, you need to define the traffic under out-to-self policy. Please make the following changes:

class-map type inspect match-any manage
match protocol tcp
policy-map type inspect ccp-permit
class type inspect manage
inspect
no class type inspect sdm-cls-ccp-permit-3
no class type inspect SDM_VPN_PT
no class type inspect RemoteConnections
class type inspect sdm-cls-ccp-permit-3
inspect
class type inspect SDM_VPN_PT
inspect
class type inspect RemoteConnections
inspect

If it still fails, enable "ip inspect log drop-pkt" and send me the logs so that we can see in which class the traffic gets dropped.

HTH

Ashu

kietung888 · ‎05-05-2010

I think that is how I have it configured currently. Here is an excerpt from my config:

zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit

policy-map type inspect ccp-permit
class type inspect sdm-cls-ccp-permit-3
inspect
class type inspect SDM_VPN_PT
inspect
class type inspect RemoteConnections
inspect
class class-default
drop

class-map type inspect match-any RemoteConnections
match access-group 113

access-list 113 permit tcp any any eq 22
access-list 113 permit tcp any any eq 443

class-map type inspect match-all sdm-cls-ccp-permit-3
match class-map ICMPAllow
match access-group name AllowICMP

ip access-list extended AllowICMP
remark CCP_ACL Category=128
permit ip any any

class-map type inspect match-any ICMPAllow
match protocol icmp

class-map type inspect match-all SDM_VPN_PT
match access-group 103

access-list 103 permit ip host x.x.x.x any

I was unable to inspect a class map that matched a protocol to the self zone. So I had to create an ACL to perform that function. At one point, I changed access-list 113 to permit ip any any and it still did not work. Ip inspect log drop-pkt is enabled, I will have to gather up the logs the next time I am there.

Any other thoughts?

Panos Kampanakis · ‎05-06-2010

You can try to capture packets to the router. If you can ping it and you see no SYN-ACK coming back probably the router is dropping traffic and it is ZBF.

The "sh log | i FW" will show you what ZBF says for packets it sees and drops.

PK