Solved: Re: Changing SSH port and blocking the default one on ISR1100 IOS-XE +

B00 · ‎10-17-2022

Hello,

I'm building a configuration to replace an old 2901 by a new C1118-8P running Cisco IOS XE Software, Version 17.06.03a.

I'm in trouble with my ssh configuration : i'm trying to allow SSH only on port 7300 on my WAN interface.

My SSH and Line config to allow a strong SSH also on port 7300 :

ip ssh time-out 30
ip ssh authentication-retries 1
ip ssh port 7300 rotary 1
ip ssh rsa keypair-name SSH-KEY
ip ssh logging events
ip ssh version 2
ip ssh dh min size 4096
ip ssh server algorithm mac hmac-sha2-256
ip ssh server algorithm encryption aes256-ctr
!
line vty 0 4
 session-timeout 30 
 exec-timeout 30 0
 session-disconnect-warning 600
 login local
 rotary 1
 transport input ssh
 transport output ssh
 escape-character 5
line vty 5 14
 login local
 transport input ssh

WAN Interface :

interface GigabitEthernet0/0/0
 description ***WAN-INTERNET***
 ip address 192.168.200.1 255.255.255.0
 ip nat outside
 zone-member security Z-WAN-INTERNET
 media-type rj45
 negotiation auto

And my ZBF configuration for traffic filtering :

ip port-map ssh port tcp 7300
!
class-map type inspect match-all ssh-acl-cmap
 match access-group 100
 match protocol ssh
class-map type inspect match-any icmp-cmap
 match protocol icmp
!
policy-map type inspect internet-self
 class type inspect icmp-cmap
  inspect
 class type inspect ssh-acl-cmap
  inspect
 class class-default
!
zone security Z-WAN-INTERNET
zone-pair security internet-router source Z-WAN-INTERNET destination self
 service-policy type inspect internet-self
!
ip access-list extended 100
 10 permit tcp any host 192.168.200.1 eq 7300
 20 deny   ip any any

Problem is : with this configuration my SSH doesn't work on the WAN interface.

If i change my access-list to replace the port 7300 by the port 22, then my ssh is working on both 7300 and 22.

It looks like the rotary system swiches the port from 7300 to 22 before my ZBF take place, but it woult be weird.

If i capture packets on my WAN interface i see incoming packets on port 7300 which is fine.

Same thing if i put the ACL directly on the WAN interface or in the "line vty"...

This is my first time in IOS-XE and the ZBF firewall, i've tried to replicate the configuration seen in the Cisco documentation but it looks like i'm misunderstanding something

Georg Pauwen · ‎10-17-2022

Hello,

I don't think the ip port mapping is appropriate in this context. Remove that line:

--> no ip port-map ssh port tcp 7300

and try with just the rotary.

If it still doesn't work, try and add the below access list, then apply it to your VTY lines:

ip access-list extended DENY_SSH_22
deny tcp any any eq 22
permit ip any any
!
line vty 0 15
access-class DENY_SSH_22 in

View solution in original post

Georg Pauwen · ‎10-17-2022

Hello,

I don't think the ip port mapping is appropriate in this context. Remove that line:

--> no ip port-map ssh port tcp 7300

and try with just the rotary.

If it still doesn't work, try and add the below access list, then apply it to your VTY lines:

ip access-list extended DENY_SSH_22
deny tcp any any eq 22
permit ip any any
!
line vty 0 15
access-class DENY_SSH_22 in

B00 · ‎10-18-2022

Thanks Georg Pauwen,

Removing the

ip port-map ssh port tcp 7300 and the match protocol ssh in the class-map

did the trick.

I now have ssh access only on port 7300, which is what i want

I don't really know what does the

ip port-map ssh port tcp 7300

command, i thought it allow the ZBF firewall system to consider port 7300 as SSH to pass the

match protocol ssh

which only permit port 22 by default. Can you explain me why this was not working, or link me some kind of documentation about this command ?

Changing SSH port and blocking the default one on ISR1100 IOS-XE + ZBF