12-02-2013 03:38 PM - edited 03-11-2019 08:11 PM
Hi,
I have a CIsco 2921 running IOS 15.3-3.M1. I am trying to create a zone based firewall rule to permit ssh traffic from any host outside my network to use NAT to forward port 8222 to 22 to connect to a specific server inside my network (192.168.10.10). The GigabitEthernet 0/0 address of my 2921 is 123.123.123.93 (I've modified the first 3 octets for this post) with netmask 255.255.255.252. Our Comcast modem is at IP address 123.123.123.94.
My class-map, policy-map and zone information are:
class-map type inspect match-any OUTSIDE_TO_INSIDE
description Outside to Inside traffic
match access-group name outside_to_inside
class-map type inspect match-any INSIDE_TO_OUTSIDE
match protocol dns
match protocol icmp
match protocol https
match protocol http
match protocol ssh
!
!
policy-map type inspect OUTSIDE_TO_INSIDE
description Outside to Inside traffic
class type inspect OUTSIDE_TO_INSIDE
inspect
class class-default
drop
policy-map type inspect INSIDE_TO_OUTSIDE
description Inside to Outside traffic
class type inspect INSIDE_TO_OUTSIDE
inspect
class class-default
drop log
!
zone security INSIDE
description Office LAN
zone security OUTSIDE
description Internet
zone-pair security OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE_TO_INSIDE
zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE_TO_OUTSIDE
My interface configuration is:
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $FW_OUTSIDE$
ip address 123.123.123.93 255.255.255.252
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
!
interface GigabitEthernet0/2
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
no mop enabled
!
!
interface Vlan1
no ip address
shutdown
!
My NAT information is:
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.10.10 22 interface GigabitEthernet0/0 8222
ip route 0.0.0.0 0.0.0.0 123.123.123.94
My access-list information is:
ip access-list extended outside_to_inside
permit tcp any any eq 8222
permit tcp any eq 8222 any
permit tcp any any eq 22
permit tcp any eq 22 any
access-list 101 permit ip any any
When I try to ssh to 123.123.123.93 using the command "telnet 123.123.123.93 8222", I receive the following error on the router:
Dec 2 23:09:36.191: FIREWALL*: NEW PAK 30948028 (0:123.123.123.94:45648) (0:192.168.10.10:22) tcp
Dec 2 23:09:36.191: FIREWALL*: PASS 0x1B feature object found
Dec 2 23:09:36.191: FIREWALL*: ret_val 5 is not PASS_PAK
Dec 2 23:09:36.607: FIREWALL: FW CCE got packet 0x306BD97C in process path
Dec 2 23:09:36.607: FIREWALL: ret_val 0 is not PASS_PAK
Dec 2 23:09:36.607: FIREWALL: Router gen or router destined pak 0x306BD97C, let it pass
The NAT configuration looks good:
dts2921#sho ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 123.123.123.93:8222 192.168.10.10:22 123.123.123.94:45649 123.123.123.94:45649
tcp 123.123.123.93:8222 192.168.10.10:22 --- ---
tcp 123.123.123.93:1723 192.168.10.10:1723 --- ---
However, the telnet returns without connecting to the 192.168.10.10 server.
I have not found anything helpful to determine what this means when searching Google. Can someone please help me understand this and also how to configure my firewall to make this work. Any help will be greatly appreciated.
Thanks,
Paul
Message was edited by: Paul Bratach Pasted the actual interface configuration, since I pasted the map and zone information twice by mistake.
Solved! Go to Solution.
12-09-2013 05:03 PM
Hello Paul,
I was going to suggest you that :
" Remove the ACL and create a new one pointing to the private address space as ZBFW checks any NAT and ACL before the Inspection"
That being said it should also have worked before as you had:
permit tcp any any eq 22
Which matches the traffic but the FW might got a weird behavior with the configuration you posted.
At least you know now, always point to the private one
Please mark the question as answered
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-03-2013 10:01 AM
Hello Paul,
I could not find what it means either, however I can see from out to in you configured a "pass" action and from inside to outside a inspect action.
You need to either configure pass for both directions or configure inspect in the direction the connection is started.
Can you try this:
policy-map type inspect OUTSIDE_TO_INSIDE
class type inspect OUTSIDE_TO_INSIDE
no pass
inspect
Regards,
Felipe.
Remember to rate useful posts.
12-09-2013 01:14 PM
Felipe,
Thanks for the reply. I was able to get it working by changing my access list from:
ip access-list extended outside_to_inside
permit tcp any any eq 8222
permit tcp any eq 8222 any
permit tcp any any eq 22
permit tcp any eq 22 any
to:
ip access-list extended outside_to_inside
permit tcp any host 192.168.10.10 eq 22
Thanks for your help.
Paul
12-09-2013 05:03 PM
Hello Paul,
I was going to suggest you that :
" Remove the ACL and create a new one pointing to the private address space as ZBFW checks any NAT and ACL before the Inspection"
That being said it should also have worked before as you had:
permit tcp any any eq 22
Which matches the traffic but the FW might got a weird behavior with the configuration you posted.
At least you know now, always point to the private one
Please mark the question as answered
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide