03-22-2011 01:29 PM - edited 03-11-2019 01:11 PM
I have successfully depoyed a zone based firewall on an ISR and almost everything is working great. The only problem I am having is with SFTP not working. Any thoughts? Here is my config.
class-map type inspect match-any inside-outside-cmap
match protocol dns
match protocol http
match protocol https
match protocol ftp
match protocol icmp
Solved! Go to Solution.
03-23-2011 02:46 AM
Hi,
sFTP would use port 22 and all traffic would be encrypted. So the firewall will be unable to inspect this traffic.
Rather, lets try to 'pass' this traffic.
------------------------------
access-list 150 permit tcp any any eq 22
access-list 151 permit tcp any eq 22 any
class-map type inspect match-any sftp
match access-group 150
class-map type inspect sftp_return
match access-group 151
policy-map type inspect inside-outside-pmap
class type inspect sftp
pass
policy-map type inspect outside-sftp-inside
class type inspect sftp_return
pass
zone-pair security outside-inside source outside destination inside
service-policy type inspect outside-sftp-inside
end
------------------------------
Paps
03-23-2011 02:46 AM
Hi,
sFTP would use port 22 and all traffic would be encrypted. So the firewall will be unable to inspect this traffic.
Rather, lets try to 'pass' this traffic.
------------------------------
access-list 150 permit tcp any any eq 22
access-list 151 permit tcp any eq 22 any
class-map type inspect match-any sftp
match access-group 150
class-map type inspect sftp_return
match access-group 151
policy-map type inspect inside-outside-pmap
class type inspect sftp
pass
policy-map type inspect outside-sftp-inside
class type inspect sftp_return
pass
zone-pair security outside-inside source outside destination inside
service-policy type inspect outside-sftp-inside
end
------------------------------
Paps
03-23-2011 09:38 AM
Thanks Paps. I appled the class maps & rules you suggested and then applied them to my policy maps and all is fine... but here's the interesting thing.
they are running sftp on port 21 and I had the allowed in previous map, but it wasn't working and every time the kicked off a transfer it caused the router to crash. bug?
I added the rule you suggested but used port 21 and all is good. I am not sure why the router would crash. do you think it has something to do with trying to inspect and encrypted packed on an allowed port? new config.
access-list 150 permit tcp any any eq ftp
access-list 151 permit tcp any eq ftp any
class-map type inspect match-any sftp
match access-group 150
class-map type inspect match-all inside-outside-vpn-cmap
match access-group 111
class-map type inspect match-any sftp_return
match access-group 151
class-map type inspect match-any inside-outside-cmap
match protocol dns
match protocol http
match protocol https
match protocol ftp
match protocol icmp
match protocol tcp
match protocol pop3
match protocol udp
!
!
policy-map type inspect inside-outside-vpn-pmap
class type inspect sftp_return
pass
class type inspect inside-outside-vpn-cmap
inspect
class class-default
drop
policy-map type inspect inside-outside-pmap
class type inspect sftp
pass
class type inspect inside-outside-cmap
inspect
class class-default
drop
!
zone security outside
zone security inside
zone-pair security inside-outside source inside destination outside
service-policy type inspect inside-outside-pmap
zone-pair security outside-inside source outside destination inside
service-policy type inspect inside-outside-vpn-pmap
03-24-2011 12:11 AM
Hi James,
It seems the crash is related to inspecting encrypted traffic. But it could be for other reasons as well.
Here is a known issue though.
Would be best to open a TAC case to get to the root cause.
Thanks,
Paps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide