Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1098
Views
0
Helpful
3
Replies

What does "ret_val 5" mean when using SSH and NAT

Go to solution
pbratach1
Level 1
Level 1

‎12-02-2013 03:38 PM - edited ‎03-11-2019 08:11 PM

Hi,

I have a CIsco 2921 running IOS 15.3-3.M1.  I am trying to create a zone based firewall rule to permit ssh traffic from any host outside my network to use NAT to forward port 8222 to 22 to connect to a specific server inside my network (192.168.10.10).  The GigabitEthernet 0/0 address of my 2921 is 123.123.123.93 (I've modified the first 3 octets for this post) with netmask 255.255.255.252.  Our Comcast modem is at IP address 123.123.123.94. 

My class-map, policy-map and zone information are:

class-map type inspect match-any OUTSIDE_TO_INSIDE

description Outside to Inside traffic

match access-group name outside_to_inside

class-map type inspect match-any INSIDE_TO_OUTSIDE

match protocol dns

match protocol icmp

match protocol https

match protocol http

match protocol ssh

!

!

policy-map type inspect OUTSIDE_TO_INSIDE

description Outside to Inside traffic

class type inspect OUTSIDE_TO_INSIDE

  inspect

class class-default

  drop

policy-map type inspect INSIDE_TO_OUTSIDE

description Inside to Outside traffic

class type inspect INSIDE_TO_OUTSIDE

  inspect

class class-default

  drop log

!

zone security INSIDE

description Office LAN

zone security OUTSIDE

description Internet

zone-pair security OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE

service-policy type inspect OUTSIDE_TO_INSIDE

zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE

service-policy type inspect INSIDE_TO_OUTSIDE

My interface configuration is:

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $FW_OUTSIDE$

ip address 123.123.123.93 255.255.255.252

ip nat outside

ip virtual-reassembly in

zone-member security OUTSIDE

duplex auto

speed auto

!

interface GigabitEthernet0/1

description $FW_INSIDE$

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security INSIDE

duplex auto

speed auto

!

interface GigabitEthernet0/2

description $FW_INSIDE$

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security INSIDE

duplex auto

speed auto

no mop enabled

!

!

interface Vlan1

no ip address

shutdown

!

My NAT information is:

ip nat inside source list 101 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.10.10 22 interface GigabitEthernet0/0 8222

ip route 0.0.0.0 0.0.0.0 123.123.123.94

My access-list information is:

ip access-list extended outside_to_inside

permit tcp any any eq 8222

permit tcp any eq 8222 any

permit tcp any any eq 22

permit tcp any eq 22 any

access-list 101 permit ip any any

When I try to ssh to 123.123.123.93 using the command "telnet 123.123.123.93 8222", I receive the following error on the router:

Dec  2 23:09:36.191: FIREWALL*: NEW PAK 30948028 (0:123.123.123.94:45648) (0:192.168.10.10:22) tcp

Dec  2 23:09:36.191: FIREWALL*: PASS 0x1B feature object found

Dec  2 23:09:36.191: FIREWALL*: ret_val 5 is not PASS_PAK

Dec  2 23:09:36.607: FIREWALL: FW CCE got packet 0x306BD97C in process path

Dec  2 23:09:36.607: FIREWALL: ret_val 0 is not PASS_PAK

Dec  2 23:09:36.607: FIREWALL: Router gen or router destined pak 0x306BD97C, let it pass

The NAT configuration looks good:

dts2921#sho ip nat trans

Pro Inside global      Inside local       Outside local      Outside global

tcp 123.123.123.93:8222 192.168.10.10:22   123.123.123.94:45649 123.123.123.94:45649

tcp 123.123.123.93:8222 192.168.10.10:22   ---                ---

tcp 123.123.123.93:1723 192.168.10.10:1723 ---                ---

However, the telnet returns without connecting to the 192.168.10.10 server.

I have not found anything helpful to determine what this means when searching Google.  Can someone please help me understand this and also how to configure my firewall to make this work.  Any help will be greatly appreciated.

Thanks,

Paul

Message was edited by: Paul Bratach Pasted the actual interface configuration, since I pasted the map and zone information twice by mistake.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to pbratach1

‎12-09-2013 05:03 PM

Hello Paul,

I was going to suggest you that :

" Remove the ACL and create a new one pointing to the private address space as ZBFW checks any NAT and ACL before the Inspection"

That being said it should also have worked before as you had:

permit tcp any any eq 22

Which matches the traffic but the FW might got a weird behavior with the configuration you posted.

At least you know now, always point to the private one

Please mark the question as answered

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
lcambron
Level 3
Level 3

‎12-03-2013 10:01 AM

Hello Paul,

I could not find what it means either, however I can see from out to in you configured a "pass" action and from inside to outside a inspect action.

You need to either configure pass for both directions or configure inspect in the direction the connection is started.

Can you try this:

policy-map type inspect OUTSIDE_TO_INSIDE

class type inspect OUTSIDE_TO_INSIDE

no  pass

inspect

Regards,

Felipe.

Remember to rate useful posts.

0 Helpful

Go to solution
pbratach1
Level 1
Level 1
In response to lcambron

‎12-09-2013 01:14 PM

Felipe,

Thanks for the reply.  I was able to get it working by changing my access list from:

ip access-list extended outside_to_inside

permit tcp any any eq 8222

permit tcp any eq 8222 any

permit tcp any any eq 22

permit tcp any eq 22 any

to:

ip access-list extended outside_to_inside

permit tcp any host 192.168.10.10 eq 22

Thanks for your help.

Paul

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to pbratach1

‎12-09-2013 05:03 PM

Hello Paul,

I was going to suggest you that :

" Remove the ACL and create a new one pointing to the private address space as ZBFW checks any NAT and ACL before the Inspection"

That being said it should also have worked before as you had:

permit tcp any any eq 22

Which matches the traffic but the FW might got a weird behavior with the configuration you posted.

At least you know now, always point to the private one

Please mark the question as answered

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card