06-20-2011 03:19 PM - edited 03-11-2019 01:47 PM
We had some bad DNS query attacks lately, so I setup the Zone Based Firewall for my Cisco 891W router.
However, immediately after setting it up, I realized the VPN and SSH access from outside is blocked. This is expected since ZBF was supposed to block all traffic and response traffic not initiated from inside the router.
I proceeded to Cisco Configuration Professional and added new Traffic Name: AllowVPN, inside Service, I add every protocol for IPSec/VPN, ipsec-msft, gdoi, isakmp, ssp, I set the Action to "Allow". Screen shot is attached.
I am able to VPN into the router, but after doing that, I cannot ping, ssh, or reach any machines inside the router. When I am inside the network, it's the same thing. I would VPN to the router, I would be unable to reach any machines inside the router, but when I log out of VPN then I am able to reach the internal machines again.
The router configuration is below (VPN configuration was previously working, the only new part of the config is the Zone-Based firewall), any help would be greatly appreciated!
NewCoGate#show run
Building configuration...
Current configuration : 14025 bytes
!
! Last configuration change at 13:56:21 Pacific Mon Jun 20 2011 by admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname NewCoGate
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
logging persistent url flash:/syslog/ size 100000000 filesize 12000000
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone Pacific -8
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-1798439109
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1798439109
revocation-check none
rsakeypair TP-self-signed-1798439109
!
!
crypto pki certificate chain TP-self-signed-1798439109
certificate self-signed 01
656C662D // Truncated on purpose for internet post
quit
no ip source-route
!
!
ip dhcp excluded-address 10.2.2.1 10.2.2.10
!
ip dhcp pool ccp-pool
network 10.2.2.0 255.255.255.0
default-router 10.2.2.1
dns-server 10.2.2.1
domain-name local
!
!
ip dhcp update dns
ip cef
ip domain name example.com
ip host local ns ns.local
ip host trac.local 10.2.2.7
ip host ns.local 10.2.2.1
ip host bw.local 10.2.2.7
ip host trac.example.com 10.2.2.7
ip host internal.example.com 10.2.2.7
ip host-list members.dyndns.org
ip host-list NewCo.dyndns.org
ip name-server 64.17.248.2
ip name-server 69.38.208.20
ip name-server 64.17.248.20
ip name-server 69.38.208.2
ip dhcp-client update dns server both
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891W-AGN-A-K9 sn FTX151301BA
!
!
archive
log config
hidekeys
username admin privilege 15 secret 5 <removed>.
crypto ctcp port 10000
!
!
ip tcp synwait-time 10
!
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any AllowSSH
match protocol ssh
class-map type inspect match-any SSH
match access-group name SSH
class-map type inspect match-any access-to-router
match class-map SSH
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any VPN_Group
match protocol gdoi
match protocol ipsec-msft
match protocol isakmp
match protocol ssp
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map VPN_Group
match access-group name AllowVPN
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 103
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect access-to-router
inspect
policy-map type inspect ccp-permit
class type inspect AllowSSH
pass
class type inspect ccp-cls-ccp-permit-1
pass
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
!
crypto logging ezvpn
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local SDM_POOL_1
!
crypto isakmp client configuration group NewCo
key asd24radwea2ea3
dns 10.2.2.1
pool SDM_POOL_1
acl 102
include-local-lan
max-users 100
netmask 255.255.255.0
banner ^CCWelcome to NewCo VPN! Split tunneling is enabled. ^C
!
crypto isakmp client configuration group NewCoProxy
key asd24radwea2ea3
dns 10.2.2.1
pool SDM_POOL_1
max-users 100
banner ^CCWelcome to NewCo Proxy VPN, split tunneling is DISABLED (all traffic goes through VPN site). ^C
crypto isakmp profile ciscocp-ike-profile-1
match identity group NewCo
match identity group NewCoProxy
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip dhcp client update dns server none
ip ddns update hostname members.dyndns.org
ip ddns update ccp_ddns1
ip address 173.243.149.226 255.255.255.252
ip access-group no_icmp in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip nat enable
ip virtual-reassembly
zone-member security out-zone
duplex full
speed 100
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.2.2.1 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
!
interface Async1
no ip address
encapsulation slip
!
!
ip local pool SDM_POOL_1 10.2.2.100 10.2.2.254
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip dns primary local soa ns.local user@example.com 21600 900 7776000 86400
ip nat inside source list 1 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 173.243.149.225
!
ip access-list extended AllowVPN
remark CCP_ACL Category=128
permit ip any any
ip access-list extended SSH
permit tcp any any eq 22
ip access-list extended no_icmp
remark CCP_ACL Category=17
permit udp host 69.38.208.2 eq domain host 173.243.149.226
permit udp host 64.17.248.20 eq domain host 173.243.149.226
permit udp host 69.38.208.20 eq domain host 173.243.149.226
permit udp host 64.17.248.2 eq domain host 173.243.149.226
permit tcp any eq www any
deny icmp any any echo
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.2.2.0 0.0.0.255
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 remark CCP_ACL Category=128
access-list 101 remark CCL_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 10.2.2.0 0.0.0.255 any
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip 173.243.149.224 0.0.0.3 any
no cdp run
!
!
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
access-class 23 in
transport input ssh
line vty 5 15
access-class 23 in
transport input telnet ssh
!
scheduler max-task-time 5000
end
NewCoGate#
Solved! Go to Solution.
06-20-2011 03:49 PM
Hi Kuangwei,
It looks like the interface Virtual-Template1 is not in a zone. You could put this interface in the inside zone and all decrypted traffic would then be put into that zone,you also have the option of putting the Virtual-template in another zone and creating a zone pair to control what resources the VPN client has access to.
Here is a document that discusses this:
Do you also have an issue using ssh to manage the router when not using VPN?
Thanks,
Loren
06-20-2011 03:49 PM
Hi Kuangwei,
It looks like the interface Virtual-Template1 is not in a zone. You could put this interface in the inside zone and all decrypted traffic would then be put into that zone,you also have the option of putting the Virtual-template in another zone and creating a zone pair to control what resources the VPN client has access to.
Here is a document that discusses this:
Do you also have an issue using ssh to manage the router when not using VPN?
Thanks,
Loren
06-20-2011 03:58 PM
That fixed it! Thanks!
I still do have the issue of not being able to ssh in to manage the router when not using the VPN. If I am just managing the router I prefer not having to need to VPN in, since SSH is pretty secure.
Thanks!
Kuangwei
06-20-2011 04:16 PM
Hi Kuangwei,
You have a policy map called "ccp-permit" which is matching traffic in the class-map "AllowSSH" with an action of pass.
When using pass we need to pass in both directions. You have the option of changing the pass action to inspect or to add a pass action to the self to out zone-pair policy map. You also have the option of not using a self zone which means that any traffic to or from the router would be allowed by default and access would need to be managed using other means such as configuring the line for ssh.
Option 1:
policy-map type inspect ccp-permit
class type inspect AllowSSH
no pass
inspect
Option 2:
policy-map type inspect ccp-permit-icmpreply
class type inspect AllowSSH
pass
no class type inspect ccp-icmp-access
class type inspect ccp-icmp-access
inspect
Option 3:
Remove the zone pairs referencing the self zone.
Please refer to the following guide for further information.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
Thanks,
Loren
06-20-2011 05:03 PM
Hi Loren,
Thanks for the help, but Option 1 doesn't work and gives an error message when I change it to inspect:
%Protocol configured in class-map AllowSSH cannot be configured for the self zone with inspect action. Please remove the protocol and retry
For Option 2, I was able to set the configuration as you mentioned, but I am still unable to SSH from an outside server.
Option 3 requires changing Zone pairs, I think that's too big of a change to make on a production router during business hours. I may be able to try that after hours tonight but I'd rather not touch the existing zone pairs right now.
My latest router configuration is reproduced as below, thanks again for the help!
NewCoGate#show run
Building configuration...
Current configuration : 14025 bytes
!
! Last configuration change at 13:56:21 Pacific Mon Jun 20 2011 by admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname NewCoGate
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
logging persistent url flash:/syslog/ size 100000000 filesize 12000000
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone Pacific -8
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-1798439109
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1798439109
revocation-check none
rsakeypair TP-self-signed-1798439109
!
!
crypto pki certificate chain TP-self-signed-1798439109
certificate self-signed 01
656C662D // Truncated on purpose for internet post
quit
no ip source-route
!
!
ip dhcp excluded-address 10.2.2.1 10.2.2.10
!
ip dhcp pool ccp-pool
network 10.2.2.0 255.255.255.0
default-router 10.2.2.1
dns-server 10.2.2.1
domain-name local
!
!
ip dhcp update dns
ip cef
ip domain name example.com
ip host local ns ns.local
ip host trac.local 10.2.2.7
ip host ns.local 10.2.2.1
ip host bw.local 10.2.2.7
ip host trac.example.com 10.2.2.7
ip host internal.example.com 10.2.2.7
ip host-list members.dyndns.org
ip host-list NewCo.dyndns.org
ip name-server 64.17.248.2
ip name-server 69.38.208.20
ip name-server 64.17.248.20
ip name-server 69.38.208.2
ip dhcp-client update dns server both
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891W-AGN-A-K9 sn FTX151301BA
!
!
archive
log config
hidekeys
username admin privilege 15 secret 5
crypto ctcp port 10000
!
!
ip tcp synwait-time 10
!
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any AllowSSH
match protocol ssh
class-map type inspect match-any SSH
match access-group name SSH
class-map type inspect match-any access-to-router
match class-map SSH
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any VPN_Group
match protocol gdoi
match protocol ipsec-msft
match protocol isakmp
match protocol ssp
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map VPN_Group
match access-group name AllowVPN
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 103
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect AllowSSH
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect access-to-router
inspect
policy-map type inspect ccp-permit
class type inspect AllowSSH
pass
class type inspect ccp-cls-ccp-permit-1
pass
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
!
crypto logging ezvpn
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local SDM_POOL_1
!
crypto isakmp client configuration group NewCo
key asd24radwea2ea3
dns 10.2.2.1
pool SDM_POOL_1
acl 102
include-local-lan
max-users 100
netmask 255.255.255.0
banner ^CCWelcome to NewCo VPN! Split tunneling is enabled. ^C
!
crypto isakmp client configuration group NewCoProxy
key asd24radwea2ea3
dns 10.2.2.1
pool SDM_POOL_1
max-users 100
banner ^CCWelcome to NewCo Proxy VPN, split tunneling is DISABLED (all traffic goes through VPN site). ^C
crypto isakmp profile ciscocp-ike-profile-1
match identity group NewCo
match identity group NewCoProxy
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip dhcp client update dns server none
ip ddns update hostname members.dyndns.org
ip ddns update ccp_ddns1
ip address 173.243.149.226 255.255.255.252
ip access-group no_icmp in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip nat enable
ip virtual-reassembly
zone-member security out-zone
duplex full
speed 100
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.2.2.1 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
!
interface Async1
no ip address
encapsulation slip
!
!
ip local pool SDM_POOL_1 10.2.2.100 10.2.2.254
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip dns primary local soa ns.local user@example.com 21600 900 7776000 86400
ip nat inside source list 1 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 173.243.149.225
!
ip access-list extended AllowVPN
remark CCP_ACL Category=128
permit ip any any
ip access-list extended SSH
permit tcp any any eq 22
ip access-list extended no_icmp
remark CCP_ACL Category=17
permit udp host 69.38.208.2 eq domain host 173.243.149.226
permit udp host 64.17.248.20 eq domain host 173.243.149.226
permit udp host 69.38.208.20 eq domain host 173.243.149.226
permit udp host 64.17.248.2 eq domain host 173.243.149.226
permit tcp any eq www any
deny icmp any any echo
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.2.2.0 0.0.0.255
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 remark CCP_ACL Category=128
access-list 101 remark CCL_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 10.2.2.0 0.0.0.255 any
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip 173.243.149.224 0.0.0.3 any
no cdp run
!
!
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username
Replace
use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username
no username cisco
Replace
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
access-class 23 in
transport input ssh
line vty 5 15
access-class 23 in
transport input telnet ssh
!
scheduler max-task-time 5000
end
06-20-2011 05:11 PM
Hi Kuangwei,
Can you remove access-list 23 from the vty lines below or create an access-list 23 that permits either all ip or your remote public address:
line vty 0 4
no access-class 23 in
transport input ssh
line vty 5 15
no access-class 23 in
Let me know if this helps.
Thanks,
Loren
06-20-2011 05:48 PM
Oh that is a really good point, I didn't even think about checking that!
So I took out access-class 23 in as you suggested, but still no luck.
Here is the latest configuration with the updated changes from the above recommendation:
NewCoGate#
NewCoGate#show run
Building configuration...
Current configuration : 14025 bytes
!
! Last configuration change at 13:56:21 Pacific Mon Jun 20 2011 by admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname NewCoGate
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
logging persistent url flash:/syslog/ size 100000000 filesize 12000000
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone Pacific -8
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-1798439109
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1798439109
revocation-check none
rsakeypair TP-self-signed-1798439109
!
!
crypto pki certificate chain TP-self-signed-1798439109
certificate self-signed 01
656C662D // Truncated on purpose for internet post
quit
no ip source-route
!
!
ip dhcp excluded-address 10.2.2.1 10.2.2.10
!
ip dhcp pool ccp-pool
network 10.2.2.0 255.255.255.0
default-router 10.2.2.1
dns-server 10.2.2.1
domain-name local
!
!
ip dhcp update dns
ip cef
ip domain name example.com
ip host local ns ns.local
ip host trac.local 10.2.2.7
ip host ns.local 10.2.2.1
ip host bw.local 10.2.2.7
ip host trac.example.com 10.2.2.7
ip host internal.example.com 10.2.2.7
ip host-list members.dyndns.org
ip host-list NewCo.dyndns.org
ip name-server 64.17.248.2
ip name-server 69.38.208.20
ip name-server 64.17.248.20
ip name-server 69.38.208.2
ip dhcp-client update dns server both
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891W-AGN-A-K9 sn FTX151301BA
!
!
archive
log config
hidekeys
username admin privilege 15 secret 5
crypto ctcp port 10000
!
!
ip tcp synwait-time 10
!
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any AllowSSH
match protocol ssh
class-map type inspect match-any SSH
match access-group name SSH
class-map type inspect match-any access-to-router
match class-map SSH
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any VPN_Group
match protocol gdoi
match protocol ipsec-msft
match protocol isakmp
match protocol ssp
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map VPN_Group
match access-group name AllowVPN
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 103
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect AllowSSH
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect access-to-router
inspect
policy-map type inspect ccp-permit
class type inspect AllowSSH
pass
class type inspect ccp-cls-ccp-permit-1
pass
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
!
crypto logging ezvpn
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local SDM_POOL_1
!
crypto isakmp client configuration group NewCo
key asd24radwea2ea3
dns 10.2.2.1
pool SDM_POOL_1
acl 102
include-local-lan
max-users 100
netmask 255.255.255.0
banner ^CCWelcome to NewCo VPN! Split tunneling is enabled. ^C
!
crypto isakmp client configuration group NewCoProxy
key asd24radwea2ea3
dns 10.2.2.1
pool SDM_POOL_1
max-users 100
banner ^CCWelcome to NewCo Proxy VPN, split tunneling is DISABLED (all traffic goes through VPN site). ^C
crypto isakmp profile ciscocp-ike-profile-1
match identity group NewCo
match identity group NewCoProxy
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip dhcp client update dns server none
ip ddns update hostname members.dyndns.org
ip ddns update ccp_ddns1
ip address 173.243.149.226 255.255.255.252
ip access-group no_icmp in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip nat enable
ip virtual-reassembly
zone-member security out-zone
duplex full
speed 100
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.2.2.1 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
!
interface Async1
no ip address
encapsulation slip
!
!
ip local pool SDM_POOL_1 10.2.2.100 10.2.2.254
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip dns primary local soa ns.local user@example.com 21600 900 7776000 86400
ip nat inside source list 1 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 173.243.149.225
!
ip access-list extended AllowVPN
remark CCP_ACL Category=128
permit ip any any
ip access-list extended SSH
permit tcp any any eq 22
ip access-list extended no_icmp
remark CCP_ACL Category=17
permit udp host 69.38.208.2 eq domain host 173.243.149.226
permit udp host 64.17.248.20 eq domain host 173.243.149.226
permit udp host 69.38.208.20 eq domain host 173.243.149.226
permit udp host 64.17.248.2 eq domain host 173.243.149.226
permit tcp any eq www any
deny icmp any any echo
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.2.2.0 0.0.0.255
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 remark CCP_ACL Category=128
access-list 101 remark CCL_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 10.2.2.0 0.0.0.255 any
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip 173.243.149.224 0.0.0.3 any
no cdp run
!
!
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username
Replace
use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username
no username cisco
Replace
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
scheduler max-task-time 5000
end
NewCoGate#
06-20-2011 06:26 PM
Let's try the following:
1. Create a new class of traffic that matches TCP, I do not believe that ssh is a valid match for self zone traffic
class-map type inspect match-any management_class
match protocol tcp
2. Use an access-list to define tcp port 25, you already have the access-list created
class-map type inspect match-all SSH_Access
match class-map management_class
match access-group name SSH
3. Apply the new class maps to the policy-map and remove the old class in the out-to-self policy
policy-map type inspect ccp-permit
class type inspect SSH_Access
pass
no class type inspect AllowSSH
4. Apply the new class maps to the policy-map and remove the old class in the self-to-out policy
policy-map type inspect ccp-permit-icmpreply
no class type inspect AllowSSH
class type inspect SSH_Access
pass
no class type inspect ccp-icmp-access
class type inspect ccp-icmp-access
inspect
5. Remove the old class map
no class-map type inspect match-any AllowSSH
Let me know if this helps.
Thanks,
Loren
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide