I have been working on accessing my Cisco 1841 with Advanced Security IOS 12.4(24)T2 with SSH so I can configure when working away.
I have tried and tried on this and I always find that when I try to access using SSH the class map and policy map I specify are missed and the packets go straight to the class default action and get dropped.
The part of my config for this is below
Define a clapp map to match the ssh traffic
class-map type inspect match-all cmap-router-access
match access-group name ssh-to-router
Define the access list that allows SSH traffic from any IP to any IP
ip access-list extended ssh-to-router Define policy map and inspect the class map for SSH
permit tcp any any eq 22
access-list 110 ip permit any any
ip access-list extended ssh-to-router
Define policy map and inspect the class map for SSH
policy-map type inspect ccp-permit
class type inspect cmap-router-access
This policy map ccp-permit is then the applied to the service policy on the zone pair out to self.
I have used the above on a 877 and it works great but I cannot get this to work on any 1841 I have with this IOS version. Every time I try to make it work I can see when using ip inspect log drop the FW drops the packets based on the class class-default in the policy map.
Any help on this would be appreciated as I really want to resolve this so I can learn where I am going wrong more than actually needing it to work!
one thing you could notice hear is that the source port in the log is not 22 but another number(3), which makes me believe that there is some sort of PAT happening for the return traffic thus resulting in change of port numbers and thereby not coming under return policy. So tighten your nat overload statements to PAT only your internal networks to the the ATM interface and deny the rest of the traffic from being PATted.
Are the nat statements similar in the 877 router too?And is it an ATM interface also on the 877?