That fixed it!  Thanks!

I still do have the issue of not being able to ssh in to manage the router when not using the VPN.  If I am just managing the router I prefer not having to need to VPN in, since SSH is pretty secure.

Thanks!

Kuangwei

Hi Kuangwei,

You have a policy map called "ccp-permit" which is matching traffic in the class-map "AllowSSH" with an action of pass.

When using pass we need to pass in both directions. You have the option of changing the pass action to inspect or to add a pass action to the self to out zone-pair policy map. You also have the option of not using a self zone which means that any traffic to or from the router would be allowed by default and access would need to be managed using other means such as configuring the line for ssh.

Option 1:

policy-map type inspect ccp-permit

class type inspect AllowSSH

  no pass

  inspect

Option 2:

policy-map type inspect ccp-permit-icmpreply

class type inspect AllowSSH

  pass

no class type inspect ccp-icmp-access

class type inspect ccp-icmp-access

  inspect

Option 3:

Remove the zone pairs referencing the self zone.

Please refer to the following guide for further information.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

Thanks,

Loren

Hi Loren,

Thanks for the help, but Option 1 doesn't work and gives an error message when I change it to inspect:

%Protocol configured in class-map AllowSSH cannot be configured for the self zone with inspect action. Please remove the protocol and retry

For Option 2, I was able to set the configuration as you mentioned, but I am still unable to SSH from an outside server.

Option 3 requires changing Zone pairs, I think that's too big of a change to make on a production router during business hours.  I may be able to try that after hours tonight but I'd rather not touch the existing zone pairs right now.

My latest router configuration is reproduced as below, thanks again for the help!

NewCoGate#show run

Building configuration...

Current configuration : 14025 bytes

!

! Last configuration change at 13:56:21 Pacific Mon Jun 20 2011 by admin

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

!

hostname NewCoGate

!

boot-start-marker

boot-end-marker

!

logging buffered 4096

logging persistent url flash:/syslog/ size 100000000 filesize 12000000

!

aaa new-model

!

!        

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

!

!

!

aaa session-id common

!

!

!

clock timezone Pacific -8

service-module wlan-ap 0 bootimage autonomous

!

crypto pki trustpoint TP-self-signed-1798439109

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1798439109

revocation-check none

rsakeypair TP-self-signed-1798439109

!

!

crypto pki certificate chain TP-self-signed-1798439109

certificate self-signed 01

  656C662D   // Truncated on purpose for internet post

        quit

no ip source-route

!

!        

ip dhcp excluded-address 10.2.2.1 10.2.2.10

!

ip dhcp pool ccp-pool

   network 10.2.2.0 255.255.255.0

   default-router 10.2.2.1

   dns-server 10.2.2.1

   domain-name local

!

!

ip dhcp update dns

ip cef

ip domain name example.com

ip host local ns ns.local

ip host trac.local 10.2.2.7

ip host ns.local 10.2.2.1

ip host bw.local 10.2.2.7

ip host trac.example.com 10.2.2.7

ip host internal.example.com 10.2.2.7

ip host-list members.dyndns.org

ip host-list NewCo.dyndns.org

ip name-server 64.17.248.2

ip name-server 69.38.208.20

ip name-server 64.17.248.20

ip name-server 69.38.208.2

ip dhcp-client update dns server both

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO891W-AGN-A-K9 sn FTX151301BA

!

!

archive

log config

  hidekeys

username admin privilege 15 secret 5 .

crypto ctcp port 10000

!

!

ip tcp synwait-time 10

!

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any AllowSSH

match protocol ssh

class-map type inspect match-any SSH

match access-group name SSH

class-map type inspect match-any access-to-router

match class-map SSH

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any VPN_Group

match protocol gdoi

match protocol ipsec-msft

match protocol isakmp

match protocol ssp

class-map type inspect match-all ccp-cls-ccp-permit-1

match class-map VPN_Group

match access-group name AllowVPN

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 103

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!        

policy-map type inspect ccp-permit-icmpreply

class type inspect AllowSSH

  pass

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  pass

policy-map type inspect sdm-permit

class type inspect access-to-router

  inspect

policy-map type inspect ccp-permit

class type inspect AllowSSH

  pass

class type inspect ccp-cls-ccp-permit-1

  pass

class class-default

  drop

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

!

crypto logging ezvpn

!        

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local SDM_POOL_1

!

crypto isakmp client configuration group NewCo

key asd24radwea2ea3

dns 10.2.2.1

pool SDM_POOL_1

acl 102

include-local-lan

max-users 100

netmask 255.255.255.0

banner ^CCWelcome to NewCo VPN!  Split tunneling is enabled.                     ^C

!

crypto isakmp client configuration group NewCoProxy

key asd24radwea2ea3

dns 10.2.2.1

pool SDM_POOL_1

max-users 100

banner ^CCWelcome to NewCo Proxy VPN, split tunneling is DISABLED (all traffic goes through VPN site).                 ^C

crypto isakmp profile ciscocp-ike-profile-1

   match identity group NewCo

   match identity group NewCoProxy

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 3600

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

!

!

!

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

!

!

interface FastEthernet5

!

!

interface FastEthernet6

!

!

interface FastEthernet7

!

!

interface FastEthernet8

description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$

ip dhcp client update dns server none

ip ddns update hostname members.dyndns.org

ip ddns update ccp_ddns1

ip address 173.243.149.226 255.255.255.252

ip access-group no_icmp in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip nat enable

ip virtual-reassembly

zone-member security out-zone

duplex full

speed 100

!

!

interface Virtual-Template1 type tunnel

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

!

interface GigabitEthernet0

no ip address

duplex auto

speed auto

!

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

arp timeout 0

!

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 10.2.2.1 255.255.255.0

no ip redirects

no ip unreachables

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

!

interface Async1

no ip address

encapsulation slip

!

!

ip local pool SDM_POOL_1 10.2.2.100 10.2.2.254

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip dns server

ip dns primary local soa ns.local user@example.com 21600 900 7776000 86400

ip nat inside source list 1 interface FastEthernet8 overload

ip route 0.0.0.0 0.0.0.0 173.243.149.225

!

ip access-list extended AllowVPN

remark CCP_ACL Category=128

permit ip any any

ip access-list extended SSH

permit tcp any any eq 22

ip access-list extended no_icmp

remark CCP_ACL Category=17

permit udp host 69.38.208.2 eq domain host 173.243.149.226

permit udp host 64.17.248.20 eq domain host 173.243.149.226

permit udp host 69.38.208.20 eq domain host 173.243.149.226

permit udp host 64.17.248.2 eq domain host 173.243.149.226

permit tcp any eq www any

deny   icmp any any echo

permit ip any any

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 1 permit 10.2.2.0 0.0.0.255

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 remark CCP_ACL Category=128

access-list 101 remark CCL_ACL Category=128

access-list 101 permit ip any any

access-list 102 remark CCP_ACL Category=4

access-list 102 permit ip 10.2.2.0 0.0.0.255 any

access-list 103 remark CCP_ACL Category=128

access-list 103 permit ip host 255.255.255.255 any

access-list 103 permit ip 127.0.0.0 0.255.255.255 any

access-list 103 permit ip 173.243.149.224 0.0.0.3 any

no cdp run

!

!

!

!

!

!

control-plane

!       

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^C

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device.

This feature requires the one-time use of the username "cisco" with the

password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN

CREDENTIALS

Here are the Cisco IOS commands.

username   privilege 15 secret 0

no username cisco

Replace and with the username and password you want

to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE

TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

^C

!

line con 0

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin udptn ssh

line aux 0

line vty 0 4

access-class 23 in

transport input ssh

line vty 5 15

access-class 23 in

transport input telnet ssh

!

scheduler max-task-time 5000

end

Hi Kuangwei,

Can you remove access-list 23 from the vty lines below or create an access-list 23 that permits either all ip or your remote public address:

line vty 0 4

no access-class 23 in

transport input ssh

line vty 5 15

no access-class 23 in

Let me know if this helps.

Thanks,

Loren

Oh that is a really good point, I didn't even think about checking that! 

So I took out access-class 23 in as you suggested, but still no luck.

Here is the latest configuration with the updated changes from the above recommendation:

NewCoGate#

NewCoGate#show run

Building configuration...

Current configuration : 14025 bytes

!

! Last configuration change at 13:56:21 Pacific Mon Jun 20 2011 by admin

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

!

hostname NewCoGate

!

boot-start-marker

boot-end-marker

!

logging buffered 4096

logging persistent url flash:/syslog/ size 100000000 filesize 12000000

!

aaa new-model

!

!        

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

!

!

!

aaa session-id common

!

!

!

clock timezone Pacific -8

service-module wlan-ap 0 bootimage autonomous

!

crypto pki trustpoint TP-self-signed-1798439109

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1798439109

revocation-check none

rsakeypair TP-self-signed-1798439109

!

!

crypto pki certificate chain TP-self-signed-1798439109

certificate self-signed 01

  656C662D   // Truncated on purpose for internet post

        quit

no ip source-route

!

!        

ip dhcp excluded-address 10.2.2.1 10.2.2.10

!

ip dhcp pool ccp-pool

   network 10.2.2.0 255.255.255.0

   default-router 10.2.2.1

   dns-server 10.2.2.1

   domain-name local

!

!

ip dhcp update dns

ip cef

ip domain name example.com

ip host local ns ns.local

ip host trac.local 10.2.2.7

ip host ns.local 10.2.2.1

ip host bw.local 10.2.2.7

ip host trac.example.com 10.2.2.7

ip host internal.example.com 10.2.2.7

ip host-list members.dyndns.org

ip host-list NewCo.dyndns.org

ip name-server 64.17.248.2

ip name-server 69.38.208.20

ip name-server 64.17.248.20

ip name-server 69.38.208.2

ip dhcp-client update dns server both

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO891W-AGN-A-K9 sn FTX151301BA

!

!

archive

log config

  hidekeys

username admin privilege 15 secret 5 .

crypto ctcp port 10000

!

!

ip tcp synwait-time 10

!

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any AllowSSH

match protocol ssh

class-map type inspect match-any SSH

match access-group name SSH

class-map type inspect match-any access-to-router

match class-map SSH

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any VPN_Group

match protocol gdoi

match protocol ipsec-msft

match protocol isakmp

match protocol ssp

class-map type inspect match-all ccp-cls-ccp-permit-1

match class-map VPN_Group

match access-group name AllowVPN

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 103

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!        

policy-map type inspect ccp-permit-icmpreply

class type inspect AllowSSH

  pass

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  pass

policy-map type inspect sdm-permit

class type inspect access-to-router

  inspect

policy-map type inspect ccp-permit

class type inspect AllowSSH

  pass

class type inspect ccp-cls-ccp-permit-1

  pass

class class-default

  drop

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

!

crypto logging ezvpn

!        

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local SDM_POOL_1

!

crypto isakmp client configuration group NewCo

key asd24radwea2ea3

dns 10.2.2.1

pool SDM_POOL_1

acl 102

include-local-lan

max-users 100

netmask 255.255.255.0

banner ^CCWelcome to NewCo VPN!  Split tunneling is enabled.                     ^C

!

crypto isakmp client configuration group NewCoProxy

key asd24radwea2ea3

dns 10.2.2.1

pool SDM_POOL_1

max-users 100

banner ^CCWelcome to NewCo Proxy VPN, split tunneling is DISABLED (all traffic goes through VPN site).                 ^C

crypto isakmp profile ciscocp-ike-profile-1

   match identity group NewCo

   match identity group NewCoProxy

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 3600

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

!

!

!

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

!

!

interface FastEthernet5

!

!

interface FastEthernet6

!

!

interface FastEthernet7

!

!

interface FastEthernet8

description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$

ip dhcp client update dns server none

ip ddns update hostname members.dyndns.org

ip ddns update ccp_ddns1

ip address 173.243.149.226 255.255.255.252

ip access-group no_icmp in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip nat enable

ip virtual-reassembly

zone-member security out-zone

duplex full

speed 100

!

!

interface Virtual-Template1 type tunnel

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

!

interface GigabitEthernet0

no ip address

duplex auto

speed auto

!

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

arp timeout 0

!

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 10.2.2.1 255.255.255.0

no ip redirects

no ip unreachables

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

!

interface Async1

no ip address

encapsulation slip

!

!

ip local pool SDM_POOL_1 10.2.2.100 10.2.2.254

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip dns server

ip dns primary local soa ns.local user@example.com 21600 900 7776000 86400

ip nat inside source list 1 interface FastEthernet8 overload

ip route 0.0.0.0 0.0.0.0 173.243.149.225

!

ip access-list extended AllowVPN

remark CCP_ACL Category=128

permit ip any any

ip access-list extended SSH

permit tcp any any eq 22

ip access-list extended no_icmp

remark CCP_ACL Category=17

permit udp host 69.38.208.2 eq domain host 173.243.149.226

permit udp host 64.17.248.20 eq domain host 173.243.149.226

permit udp host 69.38.208.20 eq domain host 173.243.149.226

permit udp host 64.17.248.2 eq domain host 173.243.149.226

permit tcp any eq www any

deny   icmp any any echo

permit ip any any

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 1 permit 10.2.2.0 0.0.0.255

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 remark CCP_ACL Category=128

access-list 101 remark CCL_ACL Category=128

access-list 101 permit ip any any

access-list 102 remark CCP_ACL Category=4

access-list 102 permit ip 10.2.2.0 0.0.0.255 any

access-list 103 remark CCP_ACL Category=128

access-list 103 permit ip host 255.255.255.255 any

access-list 103 permit ip 127.0.0.0 0.255.255.255 any

access-list 103 permit ip 173.243.149.224 0.0.0.3 any

no cdp run

!

!

!

!

!

!

control-plane

!       

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^C

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device.

This feature requires the one-time use of the username "cisco" with the

password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN

CREDENTIALS

Here are the Cisco IOS commands.

username   privilege 15 secret 0

no username cisco

Replace and with the username and password you want

to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE

TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

^C

!

line con 0

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin udptn ssh

line aux 0

line vty 0 4

transport input ssh

line vty 5 15

transport input ssh

!

scheduler max-task-time 5000

end

NewCoGate# 

Let's try the following:

1. Create a new class of traffic that matches TCP, I do not believe that ssh is a valid match for self zone traffic

class-map type inspect match-any management_class

match protocol tcp

2. Use an access-list to define tcp port 25, you already have the access-list created

class-map type inspect match-all SSH_Access

match class-map management_class

match access-group name SSH

3. Apply the new class maps to the policy-map and remove the old class in the out-to-self policy

policy-map type inspect ccp-permit

class type inspect SSH_Access

pass

no class type inspect AllowSSH

4. Apply the new class maps to the policy-map and remove the old class in the self-to-out policy

policy-map type inspect ccp-permit-icmpreply

no class type inspect AllowSSH

class type inspect SSH_Access

pass

no class type inspect ccp-icmp-access

class type inspect ccp-icmp-access

  inspect

5. Remove the old class map

no class-map type inspect match-any AllowSSH

Let me know if this helps.

Thanks,

Loren