hi diego, thanks for your cooperation. I have a question about when you said

"Yo can use this policy

class-map type inspect match-any ExampleCM

match protocol ssh

match protocol https

exit

policy-map type inspect ExamplePM-TEST

class type inspect ExampleCM

inspect

class class-default

drop log

exit

exit"

this configuration does L7 inspection, so when i tried to do this for the Self-Zone, the system tells me that SSH or HTTPS can be inspected for the Self-Zone, only L4 inspection. So I tried the next ( I have no probe it yet):

! I need to do SSH and HTTPS from the HQ to the Branch not by the Outside Interface but the Inside interface.

ip access-list extende mgmt-acl

     permit ip host 192.168.1.104 host 192.168.11.11 ( the first IP is on the HQ segment, the second one related with the inside Router interface)

     deny ip any any

exit

class-map type inspect match-any mgmt-traffic

     match protocol ssh

     match protocol https

     match protocol icmp

exit

class-map type inspect match-all out-self-cmap

     match access-group name mgmt-acl

     match class-map mgmt-traffic

exit

policy-map type inspect out-self-pmap

     class type inspect out-self-cmap

     [inspect]<--------------------------------------------if I set "inspect" when I try to join this policy with the zone-pair out-self the system does not allow it

     [pass]<---------------------------------------------if i set "pass" It suppose to create the policy and zone-pair for the traffic in the other direction self-out.

     class type inspect class-default

     drop log

     exit

exit

zone-pair security out-self source out-zone destination self

     service-policy type inspect out-self-pmap

exit

Assume this configurartion is made till here, not a line more not a line less, the traffic at the policy map is "Pass", this configuration does not suppose to work because there is no route back from self-zone to out-zone right?? so if I tried to do SSH to the 192.168.11.11 it ain't gonna happen. Could you help me to figure out if this is correct

And these configurations are equivalents:

Configuration A:

ip Access-list Extended mgmt-acl

     Permit tcp host 192.168.1.104 host 192.168.11.11 eq 22

     Permit tcp host 192.168.1.104 host 192.168.11.11 eq 443

exit

class-map  type inspect match-all mgmt-cmap

     match access-group name mgmt-acl

exit

-------------------------------------------------------------------------------------------------

Configuration B:

ip access-list extended mgmt-acl

     permit ip host 192.168.1.104 host 192.168.11.11

     deny ip any any

exit

class-map type inspect match-any mgmt-traffic

     match protocol ssh

     match protocol https

exit

class-map type inspect match-all mgmt-cmap

     match access-group name mgmt-acl

     match class-map mgmt-traffic

exit

Thanks and Regards

Hi,

The pass option is not stateful. It means that you have to create 2 ZOne-pairs. One from self to out-zone and one from out-zone to self.  (if HQ is in the OUT-ZONE).

Is the HQ in the OUT-ZONE ??  Do you have a public IP in the OUTSIDE interface??

You wrote.

I need to do SSH and HTTPS from the HQ to the Branch not by the Outside Interface but the Inside interface-----> Is the HQ in the OUTSIDE???  Im seeing that the zone-pair is between the OUT-ZONE and the self.....

hi diego, the link between the HQ router and Branch routers is provided by an ISP through FrameRelay connection for some Branch offices and MPLS for others. So, the ISP give me Invalid IPs for the WAN links (i.e: 10.50.70.0/30 or 10.50.70.40/30). Something like this:

        LAN HQ                                            WAN                                       WAN                                                   LAN Branch

192.168.1.0/24<-------->HQ Router <------10.50.70.0/30-------> ISP <-------- 10.50.70.40/30------> Branch Router----------->192.168.11.0/

For the The Branch router:

     - The outside will be the WAN interface 10.50.70.42

     - The inside will be the LAN interface 192.168.11.11

So when I configure the Firewall on the Branch Routers I need to access to it from the HQ with SSH or HTTPS using the LAN IP not the WAN IP. So any network administrator should use ssh 192.168.11.11 to gain access to the Branch router.

again, could you please answer me if these configurations are equivalents:

Configuration A:

ip Access-list Extended mgmt-acl

     Permit tcp host 192.168.1.104 host 192.168.11.11 eq 22

     Permit tcp host 192.168.1.104 host 192.168.11.11 eq 443

exit

class-map  type inspect match-all mgmt-cmap

     match access-group name mgmt-acl

exit

-------------------------------------------------------------------------------------------------

Configuration B:

ip access-list extended mgmt-acl

     permit ip host 192.168.1.104 host 192.168.11.11

     deny ip any any

exit

class-map type inspect match-any mgmt-traffic

     match protocol ssh

     match protocol https

exit

class-map type inspect match-all mgmt-cmap

     match access-group name mgmt-acl

     match class-map mgmt-traffic

exit

Thanks and Regards

In the first example. Yes they are going to do the same but. in the second example you would be doing L7 inepction if you set as action inpect. But you will not so in this case it's the same case A as case B

About your problem I'm not 100% sure if ssh or https is going to work from the HQ... Do you have a route in the HQ to reach the internal IP through the MPLS?? I have never worked in an scenario like yours. Have you tried creating a loopback? ans ssh and https to the loopback IP?

hi Fabio, I think i solve it (or for my case it works). It is possible to use the inspect action on a policy for the Self-Zone, but you have to keep in mind this:

when you use this kind of config:

     class-map type inspect match-any out-self-cmap

          match protocol ssh

          match protocol https

          match protocol snmp

     exit

     policy-map type inspect out-self-pmap

          class type inspect example-cmap

          inspect

          class class-default

          drop log

          exit

     exit

you are doing an inspection for the whole protocol (ssh, https or snmp), this is a L7 inspection, if you try to attach the policy-map with a zone-pair that involves the self-zone the system won't allow you.

To solve this you can "trick" the inspection, so you don't inspect the whole protocol, instead, you only inspect a given port (ssh:22 TCP, https:443 TCP, snmp:161 UDP). so the configuration will be something like this:

     ip access-list extended ssh-acl

          remark This acl allows the SSH session from two HQ PCs to the Router

          remark of the Branch Office (the inside or LAN IP of the Remote Router is

          remark 192.168.8.1 and the outside or WAN IP is 10.10.10.2

          permit tcp host 192.168.10.20 host 192.168.8.1 eq 22

          permit tcp host 192.168.10.30 host 192.168.8.1 eq 22

          deny tcp any any eq 22

     exit

      ip access-list extended https-acl

          remark This acl allows the HTTPS session from all HQ PCs to the Router

          remark of the Branch Office (the inside or LAN IP of the Remote Router is

          remark 192.168.8.1 and the outside or WAN IP is 10.10.10.2

          permit tcp 192.168.10.0 0.0.0.255 host 192.168.8.1 eq 443

          deny tcp any any eq 443

     exit

     ip access-list extended snmp-acl

          remark This acl allows the SNMP session from one HQ Server to the Router

          remark of the Branch Office (the inside or LAN IP of the Remote Router is

          remark 192.168.8.1 and the outside or WAN IP is 10.10.10.2

          permit udp host 192.168.10.100 host 192.168.8.1 eq 161

          deny udp any any eq 161

This way you are doing L4 inspection over the port and the router will allow you to attach the policy-map to the zone-pair which includes de sefl-zone. And as you can see, you are monitoring and manage the device through the Inside IP not the Outside. I did this configuration for my case and it is working, I can do ssh, https (SDM) and snmp monitoring.

As a bonus, if you are the kind of person who enjoy configure through the CLI, don´t forget to allow the Routing protocol messages or adjacencies. Once you start to work on the self zone you have to be careful, if you are using OSPF or EIGRP you have to allow the message from this protocol to establish the adjacencies. This will help you:

     ip access-list extended ospf-acl

          permit ospf any any

     exit

     class-map type inspect match-all ospf-cmap

          match access-group ospf-acl

     exit

     policy-map type inspect out-self-pmap

          class type inspect out-self-cmap

          inspect

          class type inspect ospf-cmap

          pass

          class class-default

          drol-log

By the way, if you use "pass" traffic from the "out-zone" to the "self-zone" is not necessary to create the traffic back from the "self" to the "out-zone" because this traffic is allowed by default. you have to use the back traffic policies if you are passing the traffic between two zones different of "self-zone".

I hope this help you Fabio.

Regards

Thanks for you reply Jose... I understand the situation... and I will make some test and then I tell you about the results.... Do you have some more example of rules from inside to outside... and from outside to inside... if you could send me some example.. (If u have) I would appreciate... fabio@teletex.com.br

Thanks in advance.

Fabio