Solved: ZBF access to ATM0/0/0.1 with SSH

kyle.heath · ‎07-31-2010

I have been working on accessing my Cisco 1841 with Advanced Security IOS 12.4(24)T2 with SSH so I can configure when working away.

I have tried and tried on this and I always find that when I try to access using SSH the class map and policy map I specify are missed and the packets go straight to the class default action and get dropped.

The part of my config for this is below

Define a clapp map to match the ssh traffic

class-map type inspect match-all cmap-router-access
match access-group name ssh-to-router

Define the access list that allows SSH traffic from any IP to any IP

ip access-list extended ssh-to-router
permit tcp any any eq 22
access-list 110 ip permit any any

Define policy map and inspect the class map for SSH

policy-map type inspect ccp-permit
class type inspect cmap-router-access
no drop
inspect

This policy map ccp-permit is then the applied to the service policy on the zone pair out to self.

I have used the above on a 877 and it works great but I cannot get this to work on any 1841 I have with this IOS version. Every time I try to make it work I can see when using ip inspect log drop the FW drops the packets based on the class class-default in the policy map.

Any help on this would be appreciated as I really want to resolve this so I can learn where I am going wrong more than actually needing it to work!

Thanks

Kyle

rahgovin · ‎08-01-2010

one thing you could notice hear is that the source port in the log is not 22 but another number(3), which makes me believe that there is some sort of PAT happening for the return traffic thus resulting in change of port numbers and thereby not coming under return policy. So tighten your nat overload statements to PAT only your internal networks to the the ATM interface and deny the rest of the traffic from being PATted.

Are the nat statements similar in the 877 router too?And is it an ATM interface also on the 877?

View solution in original post

Jitendriya Athavale · ‎07-31-2010

firstly you dont need a zone-pair/service policy to access self zone from out

what i mean is anything to and from self zone is permit by default if you do not have a zone-pair

so i think the best way to solve your problem here is to remove the self-out and out-self zone pairs unless you want to block some traffic to the router

Secondly, if you still want the zone-pair, if you see the packet hitting the class-default then please reconfigure this part of zone based firewall,

i mean reconfigure this class-map and policy map with a different name and remove the old one, i know this is wierd but i have seen this work. i had a

similar issue few days back and changing the name of class-map did the trick for me

please try out the changes and let me know what happens and if possible please paste the entire class-map/policy map/ service policy config and most importantly the logs that you get because of drop packet

kyle.heath · ‎08-01-2010

I tried removing the class-map and the policy-map and then the service-policy for the zone pair out-self. I then created a new class-map, policy-map and service-policy on the zone pair and I still cannot connect and I get this Firewall Log

%FW-6-DROP_PKT: Dropping tcp session 78.xx.xx.xx:3 86.xx.xx.xx:42774 on zone-pair ccp-zp-self-out class ccp-icmp-access due to Invalid Flags with ip ident 0

So I can see from this that the problem is on the policy self-out now, so I understand this to be the returning traffic from self to out-zone. What I need to understand now is the Invalid Flags part of the log.

So you can see the full ZBF I have included the entire config below, I am afraid it is generated by the CCP and this is partly because I am learning still and partly because I have junior admins who only use CCP if they need to make changes to the ZBF.

class-map type inspect match-any smtp
match protocol smtp
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
match class-map smtp
match access-group name gfi-servers
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all cmap-router-access
match access-group name ssh-to-router
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any workshop-out-allowed
match protocol http
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol pptp
match protocol l2tp
match protocol dns
match protocol ntp
match protocol icmp
match protocol ftp
match protocol ftps
match protocol tftp

match protocol telnet
match protocol ssh
match protocol isakmp
match protocol ipsec-msft
match protocol user-sts
match protocol user-rdp
class-map type inspect match-all sdm-nat-pptp-1
match access-group 101
match protocol pptp
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-cls--1
match class-map smtp
match access-group name tmcm-cscm
class-map type inspect match-any cscm-mav-allowed
match protocol icmp
match protocol user-rdp
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-cls-sdm-policy-workshop-out-allowed-
match access-group name gfimax-servers
class-map type inspect match-any cscm-g2g-allowed
match protocol icmp
match protocol user-rdp
class-map type inspect match-all sdm-nat-user-sts-1
match access-group 101
match protocol user-sts
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any mav-out-allowed
match protocol http
match protocol https
match protocol icmp
match protocol dns
class-map type inspect match-all sdm-nat-https-1

match access-group 101
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-policy-mav-out-allowed
class type inspect mav-out-allowed
inspect
class class-default
drop
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-user-sts-1
inspect
class type inspect sdm-nat-pptp-1
inspect
class type inspect CCP_PPTP
pass
class class-default
drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect pmap-window-scale
class type inspect ccp-insp-traffic
inspect pmap-window-scale
class type inspect CCP-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-policy-cscm-g2g-allowed

class type inspect cscm-g2g-allowed
inspect
class class-default
drop
policy-map type inspect sdm-policy-sdm-cls--1
class type inspect sdm-cls--1
inspect
class class-default
drop
policy-map type inspect sdm-policy-cscm-mav-allowed
class type inspect cscm-mav-allowed
inspect
class class-default
drop
policy-map type inspect sdm-policy-workshop-out-allowed
class type inspect workshop-out-allowed
inspect
class class-default
drop
policy-map type inspect pmap-out-self
class type inspect cmap-router-access
inspect
class class-default
drop
!
zone security out-zone
zone security in-zone
zone security mav-zone
zone security workshop-zone
zone security g2g-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect pmap-out-self
zone-pair security sdm-zp-mav-zone-out-zone source mav-zone destination out-zone
service-policy type inspect sdm-policy-mav-out-allowed
zone-pair security sdm-zp-in-zone-mav-zone source in-zone destination mav-zone
service-policy type inspect sdm-policy-cscm-mav-allowed
zone-pair security sdm-zp-mav-zone-in-zone source mav-zone destination in-zone
service-policy type inspect sdm-policy-sdm-cls--1
zone-pair security sdm-zp-workshop-zone-out-zone source workshop-zone destination out-zone
service-policy type inspect sdm-policy-workshop-out-allowed
zone-pair security sdm-zp-in-zone-g2g-zone source in-zone destination g2g-zone
service-policy type inspect sdm-policy-cscm-g2g-allowed

ip access-list extended ssh-to-router
permit tcp any any eq 22

rahgovin · ‎08-01-2010

Can you try adding the access-list "permit tcp any eq 22 any" to the self to out zone and pass( (not inspect) as the policy map rule for both self -out zone pair and out-zone pair policy?

And the logs message you posted is the right one right? Just making sure that its not generated for some other traffic.

kyle.heath · ‎08-01-2010

I have tried the policy map out-self and self-out with the class map for ssh and set this to pass instead of inspect but this still generates the same firewall log.

%FW-6-DROP_PKT: Dropping tcp session 78.xx.xx.xx:3 86.xx.xxxx:45369 on zone-pair ccp-zp-self-out class ccp-icmp-access due to Invalid Flags with ip ident 0

I have checked the access list for hits and get a hit on the ACL when connecting and if I set the out-self policy map to pass log I can see the packet being passed so I now suspect that the problem is on the return traffic and for some reason the the Invalid Flag is being detected , Cisco IOS reference defines this as Flags in TCP Segment are invalid.

I have checked and the log above is generated as I try the SSH connection from my home.

I have used the config I have on a 877 router with no problem so I am beginning to wonder if this is a bug in the IOS?

rahgovin · ‎08-01-2010

What is the code that you are running on the 877 router? Is there any other difference between the 2 devices wrt config?

Can you also post your nat config?

rahgovin · ‎08-01-2010

one thing you could notice hear is that the source port in the log is not 22 but another number(3), which makes me believe that there is some sort of PAT happening for the return traffic thus resulting in change of port numbers and thereby not coming under return policy. So tighten your nat overload statements to PAT only your internal networks to the the ATM interface and deny the rest of the traffic from being PATted.

Are the nat statements similar in the 877 router too?And is it an ATM interface also on the 877?

kyle.heath · ‎08-01-2010

I took your advice on the PAT and it makes sense now, the connection comes in on port 22 and then on teh return gets PAT out the ATM0/0/0.1 interface and violates the ZBF and is dropped.

I use route maps on the PAT statements and I dont have these on my 877 routers so that made sense too.

My route map statements are designed to just match the ATM interface for a failover DSL solution

ip nat inside source route-map O2 interface ATM0/0/0.1 overload

route-map O2 permit 10

match interface ATM0/0/0.1

I created an ACL to apply to the route map so that only my internal network traffic is PAT and everything else is denied.

access-list 120 ip permit 192.168.110.0 0.0.0.255 any

access-list 120 ip deny any any

I then added this ACL to the route map with the match ip address 120 line

And when I tested access with SSH it works!! And I can understand why which is even better. Thanks so much for your help and getting me to find what was the cause, I will think much harder about PAT in the future and remember what an effect PAT statements can have on a config!