Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2532
Views
0
Helpful
3
Replies

SSH and zone-based firewall

Go to solution
Kris McCormick
Level 1
Level 1

‎09-06-2012 02:55 PM - edited ‎03-04-2019 05:30 PM

Hello,

From the outside, I am unable to SSH into a Cisco 2901 router with a zone-based firewall. I suspect I need to add SSH to one of the zones but I'm not sure which one. I've attached the configuration in a text file.

Thanks in advance to anyone that can point me in the right direction.

Labels:
134619-2901 config.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎09-07-2012 12:11 AM

Hi,

you want to ssh into the router from any outside IP or from a specific one ?

The problem is here:

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

policy-map type inspect ccp-permit

class type inspect ccp-cls-ccp-permit-1

  pass

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class type inspect SDM_EASY_VPN_CTCP_SERVER_PT

  inspect

class class-default

  drop

the ssh traffic is classified as class-default traffic and is dropped.

You may do this if you want any IP to ssh:

ip access-list extended SSH

  permit tcp any any eq ssh

class-map type inspect SSH_ACCESS

match access-group name SSH

policy-map type inspect ccp-permit

class type inspect SSH_ACCESS

   inspect

If you want to permit only certain IPs then modify the ACL consequently

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎09-07-2012 12:11 AM

Hi,

you want to ssh into the router from any outside IP or from a specific one ?

The problem is here:

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

policy-map type inspect ccp-permit

class type inspect ccp-cls-ccp-permit-1

  pass

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class type inspect SDM_EASY_VPN_CTCP_SERVER_PT

  inspect

class class-default

  drop

the ssh traffic is classified as class-default traffic and is dropped.

You may do this if you want any IP to ssh:

ip access-list extended SSH

  permit tcp any any eq ssh

class-map type inspect SSH_ACCESS

match access-group name SSH

policy-map type inspect ccp-permit

class type inspect SSH_ACCESS

   inspect

If you want to permit only certain IPs then modify the ACL consequently

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Kris McCormick
Level 1
Level 1

‎09-07-2012 12:25 PM

Thanks Alain, I did want to enable ssh from any outside IP so this worked perfectly!

Somewhat off topic, do you know a good resource for learning more about zone-based firewalls?

Kris

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Kris McCormick

‎09-07-2012 12:42 PM

Hi Kris,

Deploying Zone-Based Firewalls (Digital Short Cut) from Cisco Press

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents