10-17-2022 07:21 AM
Hello,
I'm building a configuration to replace an old 2901 by a new C1118-8P running Cisco IOS XE Software, Version 17.06.03a.
I'm in trouble with my ssh configuration : i'm trying to allow SSH only on port 7300 on my WAN interface.
My SSH and Line config to allow a strong SSH also on port 7300 :
ip ssh time-out 30
ip ssh authentication-retries 1
ip ssh port 7300 rotary 1
ip ssh rsa keypair-name SSH-KEY
ip ssh logging events
ip ssh version 2
ip ssh dh min size 4096
ip ssh server algorithm mac hmac-sha2-256
ip ssh server algorithm encryption aes256-ctr
!
line vty 0 4
session-timeout 30
exec-timeout 30 0
session-disconnect-warning 600
login local
rotary 1
transport input ssh
transport output ssh
escape-character 5
line vty 5 14
login local
transport input ssh
WAN Interface :
interface GigabitEthernet0/0/0
description ***WAN-INTERNET***
ip address 192.168.200.1 255.255.255.0
ip nat outside
zone-member security Z-WAN-INTERNET
media-type rj45
negotiation auto
And my ZBF configuration for traffic filtering :
ip port-map ssh port tcp 7300
!
class-map type inspect match-all ssh-acl-cmap
match access-group 100
match protocol ssh
class-map type inspect match-any icmp-cmap
match protocol icmp
!
policy-map type inspect internet-self
class type inspect icmp-cmap
inspect
class type inspect ssh-acl-cmap
inspect
class class-default
!
zone security Z-WAN-INTERNET
zone-pair security internet-router source Z-WAN-INTERNET destination self
service-policy type inspect internet-self
!
ip access-list extended 100
10 permit tcp any host 192.168.200.1 eq 7300
20 deny ip any any
Problem is : with this configuration my SSH doesn't work on the WAN interface.
If i change my access-list to replace the port 7300 by the port 22, then my ssh is working on both 7300 and 22.
It looks like the rotary system swiches the port from 7300 to 22 before my ZBF take place, but it woult be weird.
If i capture packets on my WAN interface i see incoming packets on port 7300 which is fine.
Same thing if i put the ACL directly on the WAN interface or in the "line vty"...
This is my first time in IOS-XE and the ZBF firewall, i've tried to replicate the configuration seen in the Cisco documentation but it looks like i'm misunderstanding something
Solved! Go to Solution.
10-17-2022 08:51 AM - last edited on 10-25-2022 10:49 AM by Translator
Hello,
I don't think the ip port mapping is appropriate in this context. Remove that line:
--> no ip port-map ssh port tcp 7300
and try with just the rotary.
If it still doesn't work, try and add the below access list, then apply it to your VTY lines:
ip access-list extended DENY_SSH_22
deny tcp any any eq 22
permit ip any any
!
line vty 0 15
access-class DENY_SSH_22 in
10-17-2022 08:51 AM - last edited on 10-25-2022 10:49 AM by Translator
Hello,
I don't think the ip port mapping is appropriate in this context. Remove that line:
--> no ip port-map ssh port tcp 7300
and try with just the rotary.
If it still doesn't work, try and add the below access list, then apply it to your VTY lines:
ip access-list extended DENY_SSH_22
deny tcp any any eq 22
permit ip any any
!
line vty 0 15
access-class DENY_SSH_22 in
10-18-2022 05:32 AM - last edited on 10-25-2022 10:54 AM by Translator
Thanks Georg Pauwen,
Removing the
ip port-map ssh port tcp 7300 and the match protocol ssh in the class-map
did the trick.
I now have ssh access only on port 7300, which is what i want
I don't really know what does the
ip port-map ssh port tcp 7300
command, i thought it allow the ZBF firewall system to consider port 7300 as SSH to pass the
match protocol ssh
which only permit port 22 by default. Can you explain me why this was not working, or link me some kind of documentation about this command ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide