Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2198
Views
0
Helpful
16
Replies

Management Access over VPN to 887 after config pro setup

Go to solution
paul.adam
Level 1
Level 1

‎09-28-2010 04:19 PM

Hi All,

Ive just deployed three 887w's for a customer at a few branch offices, and as its the first time I have deployed these devices I decided to go with the GUI (downloaded config pro 2.3) to get the config done as I had a few time pressures to get them in place (sometimes I do go with the gui first off then look back at the CLI to see what its done and then pick it apart in notepad, to get a better understanding of any new features that the CLI has maybe gone and enabled).

One thing I new I was going to be facing was my first experience of the IOS Zone Based Firewall type of config.......

At this stage,I'm still quite fuzzy on the config (hence why Im posting here I guess!) - But the main issue I have at the moment is with Management Access to the devices.

Particularily in regards to management access from the head office to the inside IP address of the branch routers.

I should mention that the branch routers are connected to the head office by IPSec site to site VPN connections, and these connections are all fine, all connectivity (PC to server, PC to printer, etc...) is fine....I can also send ping packets (using the inside interface as the source) from the branch routers to servers on the head office LAN.

I have configured management access using config pro to allow access from the head office subnet to the router (on its inside interface) as well as the local subnet and also SSH access for a specific internet host - The local subnet and the single internet based host can access the router fine.

Im not sure if the problem is with the ZBF config or if its something really obvious Im missing! - Ive done branch routers many times before, so with this being the first ZBF config I have done, then I have come to the conclusion that it must be something in the lack of my understanding.

Any help greatly appreciated....sanitized config below!

Thanks in advance

Paul

version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Dummy-Name
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
memory-size iomem 10
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-2874941309
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2874941309
revocation-check none
rsakeypair TP-self-signed-2874941309
!
!
crypto pki certificate chain TP-self-signed-2874941309
certificate self-signed 01
<Certificate removed>

no ip source-route
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.63
ip dhcp excluded-address 10.0.0.193 10.0.0.254
!
ip dhcp pool ccp-pool
   import all
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.1
   domain-name xxxxxxxxx.com
   dns-server 192.168.xx.20 194.74.xx.68
   lease 0 2
!
!
ip cef
no ip bootp server
ip domain name xxxxxxx.com
ip name-server 192.168.xx.20
ip name-server 194.74.xx.68
no ipv6 cef
!
!
multilink bundle-name authenticated

parameter-map type urlfpolicy websense cpwebpara0
server 192.168.xx.25
source-interface Vlan1
allow-mode on
parameter-map type urlf-glob cpaddbnwlocparapermit0
pattern citrix.xxxxxxxxxxxx.com

license udi pid CISCO887MW-GN-E-K9 sn xxxxxxxxxxx
!
!
username xxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxx
username xxxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
!
ip tcp synwait-time 10
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 106
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any sdm-mgmt-cls-0
match class-map SDM_SHELL
match class-map SDM_SSH
match class-map SDM_HTTPS
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 105
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type urlfilter match-any cpaddbnwlocclasspermit0
match  server-domain urlf-glob cpaddbnwlocparapermit0
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type urlfilter websense match-any cpwebclass0
match  server-response any
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-0
match class-map sdm-mgmt-cls-0
match access-group 103
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
class class-default
  drop
policy-map type inspect urlfilter cppolicymap-1
parameter type urlfpolicy websense cpwebpara0
class type urlfilter cpaddbnwlocclasspermit0
  allow
  log
class type urlfilter websense cpwebclass0
  server-specified-action
  log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
  service-policy urlfilter cppolicymap-1
class type inspect ccp-insp-traffic
  inspect
class class-default
  drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
  pass
class type inspect sdm-mgmt-cls-ccp-permit-0
  inspect
class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxx address 194.105.xxx.xxx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to194.105.xxx.xxx
set peer 194.105.xxx.xxx
set transform-set ESP-3DES-SHA
match address VPN-ACL
!
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.0.0.1 255.255.255.0
ip access-group 104 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address 81.142.xxx.xxx 255.255.xxx.xxx
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxx
no cdp enable
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_SNMP
remark CCP_ACL Category=0
permit udp any any eq snmp
ip access-list extended SDM_SSH
remark CCP_ACL Category=0
permit tcp any any eq 22
ip access-list extended SDM_TELNET
remark CCP_ACL Category=0
permit tcp any any eq telnet
ip access-list extended VPN-ACL
remark ACL to Indentify interesting traffic to bring up VPN tunnel
remark CCP_ACL Category=4
permit ip 10.0.0.0 0.0.0.255 192.168.xx.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 10.128.xx.0 0.0.255.255
permit ip 10.0.0.0 0.0.0.255 160.69.xx.0 0.0.255.255
!
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 23 permit 193.195.xxx.xxx
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 192.168.xx.0 0.0.0.255
access-list 23 permit 10.0.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 81.142.xxx.xxx 0.0.0.7 any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit tcp host 193.195.xxx.xxx host 81.142.xxx.xxx eq 22
access-list 101 permit tcp host 193.195.xxx.xxx host 81.142.xxx.xxx eq 443
access-list 101 permit tcp host 193.195.xxx.xxx host 81.142.xxx.xxx eq cmd
access-list 101 deny   tcp any host 81.142.xxx.xxx eq telnet
access-list 101 deny   tcp any host 81.142.xxx.xxx eq 22
access-list 101 deny   tcp any host 81.142.xxx.xxx eq www
access-list 101 deny   tcp any host 81.142.xxx.xxx eq 443
access-list 101 deny   tcp any host 81.142.xxx.xxx eq cmd
access-list 101 deny   udp any host 81.142.xxx.xxx eq snmp
access-list 101 permit ip 160.69.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.128.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 192.168.xx.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit udp host 194.105.xxx.xxx host 81.142.xxx.xxx eq non500-isakmp
access-list 101 permit udp host 194.105.xxx.xxx host 81.142.xxx.xxx eq isakmp
access-list 101 permit esp host 194.105.xxx.xxx host 81.142.xxx.xxx
access-list 101 permit ahp host 194.105.xxx.xxx host 81.142.xxx.xxx
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 192.168.xx.0 0.0.0.255 any
access-list 102 permit ip host 193.195.xxx.xxx any
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit ip host 193.195.xxx.xxx host 81.142.xxx.xxx
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark CCP_ACL Category=1
access-list 104 permit tcp 192.168.xx.0 0.0.0.255 host 10.0.0.1 eq telnet
access-list 104 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet
access-list 104 permit tcp 192.168.xx.0 0.0.0.255 host 10.0.0.1 eq 22
access-list 104 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq 22
access-list 104 permit tcp 192.168.xx.0 0.0.0.255 host 10.0.0.1 eq www
access-list 104 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq www
access-list 104 permit tcp 192.168.xx.0 0.0.0.255 host 10.0.0.1 eq 443
access-list 104 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq 443
access-list 104 permit tcp 192.168.xx.0 0.0.0.255 host 10.0.0.1 eq cmd
access-list 104 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq cmd
access-list 104 deny   tcp any host 10.0.0.1 eq telnet
access-list 104 deny   tcp any host 10.0.0.1 eq 22
access-list 104 deny   tcp any host 10.0.0.1 eq www
access-list 104 deny   tcp any host 10.0.0.1 eq 443
access-list 104 deny   tcp any host 10.0.0.1 eq cmd
access-list 104 deny   udp any host 10.0.0.1 eq snmp
access-list 104 permit ip any any
access-list 105 remark CCP_ACL Category=128
access-list 105 permit ip host 194.105.xxx.xxx any
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip 192.168.xx.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 106 permit ip 10.128.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 106 permit ip 160.69.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 107 remark CCP_ACL Category=2
access-list 107 deny   ip 10.0.0.0 0.0.0.255 160.69.0.0 0.0.255.255
access-list 107 deny   ip 10.0.0.0 0.0.0.255 10.128.0.0 0.0.255.255
access-list 107 deny   ip 10.0.0.0 0.0.0.255 192.168.xx.0 0.0.0.255
access-list 107 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 107
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
access-class 102 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp update-calendar
ntp server 130.159.196.118 prefer source Dialer0
end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to praprama

‎09-29-2010 08:24 PM

Hey Paul,

Here is the relevant configuration:

policy-map type inspect ccp-permit

class type inspect sdm-mgmt-cls-ccp-permit-0
  inspect


class-map type inspect match-all sdm-mgmt-cls-ccp-permit-0
match class-map sdm-mgmt-cls-0
match access-group 103


class-map type inspect match-any sdm-mgmt-cls-0
match class-map SDM_SHELL
match class-map SDM_SSH
match class-map SDM_HTTPS


class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS


ip access-list extended SDM_SHELL
remark CCP_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=0
permit tcp any any eq 22
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=0
permit tcp any any eq 443


access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit ip host 193.195.xxx.xxx host 81.142.xxx.xxx

The above config will allow you to access the router on the 81.142.xxx.xxx IP address from the 193.195.xxx.xxx host using SSH/HTTPS/SHELL. To allow access from 192.168.16.0/24 network to 10.0.0.1 IP of the router, add another entry to the access-list 103 as below:

access-list 103 permit ip 192.168.16.0 0.0.0.255 host 10.0.0.1

This should take enable access to that IP for those hosts using ssh and https. Try this out and let me know how it goes.

Thanks and Regards,

Prapanch

View solution in original post

0 Helpful
16 Replies 16

Go to solution
praprama
Cisco Employee
Cisco Employee

‎09-29-2010 08:55 AM

Hi Paul,

From which IP address are you trying to connect to this router and to what IP address on this router are you connecting? I am guessing you are trying to connect to 10.0.0.1. Please let me know the above IP address details.

Also, enable the logging and "ip inspect log drop-pkt" on the router. You should then be able to see logs of traffic being dropped by the ZBF configuration. Forward those logs too if you notice something relevant.

Thanks and Regards,

Prapanch

0 Helpful

Go to solution
paul.adam
Level 1
Level 1
In response to praprama

‎09-29-2010 12:11 PM

Hi Prapanch,

Thanks for your response.

Enabled the ip inspect log drop-pkt and not seeing anything in the logs about failed telnet, ssh, https connection attempts (other than stuff to do with the URL filter).

......and yes, you are correct I am trying to connect to 10.0.0.1 from any ip on the 192.168.16.0/24 subnet.

Whats next ?

Just to check, have I sanitized the config to far in my original post - Just in case this gets in the way

Regards

Paul

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to praprama

‎09-29-2010 08:24 PM

Hey Paul,

Here is the relevant configuration:

policy-map type inspect ccp-permit

class type inspect sdm-mgmt-cls-ccp-permit-0
  inspect


class-map type inspect match-all sdm-mgmt-cls-ccp-permit-0
match class-map sdm-mgmt-cls-0
match access-group 103


class-map type inspect match-any sdm-mgmt-cls-0
match class-map SDM_SHELL
match class-map SDM_SSH
match class-map SDM_HTTPS


class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS


ip access-list extended SDM_SHELL
remark CCP_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=0
permit tcp any any eq 22
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=0
permit tcp any any eq 443


access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit ip host 193.195.xxx.xxx host 81.142.xxx.xxx

The above config will allow you to access the router on the 81.142.xxx.xxx IP address from the 193.195.xxx.xxx host using SSH/HTTPS/SHELL. To allow access from 192.168.16.0/24 network to 10.0.0.1 IP of the router, add another entry to the access-list 103 as below:

access-list 103 permit ip 192.168.16.0 0.0.0.255 host 10.0.0.1

This should take enable access to that IP for those hosts using ssh and https. Try this out and let me know how it goes.

Thanks and Regards,

Prapanch

0 Helpful

Go to solution
paul.adam
Level 1
Level 1
In response to praprama

‎09-30-2010 07:40 AM

Hi Prapanch,

Thanks, I have implemented the changes as described in your response, but still no joy Im afraid, however I do now see the following in the logs

(note this is from the other branch from the one I sent the original config over from as all local PC's were in use at the site I had been using - I obviously changed your commands arround to fit in with the ip and subnet changes) - The only changes are that the internal range at this site is on a 10.0.2.0/24 subnet, the router is on 10.0.2.1 and of course there is a different public range...

Anyway, the log entry is showing

Sep 30 14:26:36:059 (target-class)-(ccp-zp-out-self:sdm-mgmt-cls-ccp-permit-0) Passing telnet pkt 192.168.16.22:19237 => 10.0.2.1:23 with ip ident 0

So this is good, the changes are showing that the packets are now definately hitting the correct interface

But that unfortunately is it, so we must have some issue with the return path???

Interestingly, if I issue a ping from the router to the 192.168.16.22 using the command (ping 192.168.16.22) I get no response, but if I issue the command and set it to use the inside vlan as the source (e.g. ping 192.168.16.22 source vlan 1) then it succeeds.

I assume this may be part of the issue.

Whats next?

Thanks again for your continued support on this issue - Much appreciated

Paul

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to paul.adam

‎09-30-2010 08:00 AM

Hi,

1) The telnet connection you are trying seems to be permitted. Do you see any other logs related to that connection? Is SSH working to the VLAN 1 ip address? When trying a telnet or SSH connection from 192.168.16.22, please send the output of the following:

show policy-map type inspect zone-pair ccp-zp-out-self session

This should throw some light on what exactly is happening.

2) The reason why sourced ping from VLAN 1 works but a normal ping does not is due to the VPN configuration. As configured, the crypto ACL for the VPN is as below:

ip access-list extended VPN-ACL
remark ACL to Indentify interesting  traffic to bring up VPN tunnel
remark CCP_ACL Category=4
permit  ip 10.0.0.0 0.0.0.255 192.168.xx.0 0.0.0.255
permit ip 10.0.0.0  0.0.0.255 10.128.xx.0 0.0.255.255
permit ip 10.0.0.0 0.0.0.255  160.69.xx.0 0.0.255.255

When you just ping 192.168.16.22, the traffic sourced with the IP address of Dialer0 due to the default route and hence does not match the crypto ACL.

But the sourced ping from VLAN 1 matches the crypto ACL configured and hence pings work. This hasn't got anything to do with the ZBF configuration

Regards,

Prapanch

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to paul.adam

‎09-30-2010 08:04 AM

Hey Paul,

Sorry missed out a detail!! On line vty you have an access-class applied restricting access to the router using telnet/ssh as below:

line vty 0 4
access-class 102 in
privilege level 15
login  local
transport input telnet ssh

access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip  192.168.xx.0 0.0.0.255 any
access-list 102 permit ip host  193.195.xxx.xxx any
access-list 102 permit ip 10.0.0.0 0.0.0.255 any

Does it allow 192.168.16.0/24 network? I am asking this because i only see "xx" above.

Regards,

Prapanch

0 Helpful

Go to solution
paul.adam
Level 1
Level 1
In response to praprama

‎09-30-2010 08:20 AM

Yes - sorry, my random santitizing of the config, it is indeed an acl permitting 192.168.16.0 0.0.0.255

Just away to look at your other post and run that test for you

Thanks

Paul

0 Helpful

Go to solution
paul.adam
Level 1
Level 1
In response to paul.adam

‎09-30-2010 08:28 AM

Heres the output of the show command

policy exists on zp ccp-zp-out-self
Zone-pair: ccp-zp-out-self

  Service-policy inspect : ccp-permit

    Class-map: SDM_VPN_PT (match-all)
      Match: access-group 101
      Match: class-map match-any SDM_VPN_TRAFFIC
        Match: protocol isakmp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ipsec-msft
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: class-map match-any SDM_AH
          0 packets, 0 bytes
          30 second rate 0 bps
          Match: access-group name SDM_AH
            0 packets, 0 bytes
            30 second rate 0 bps
        Match: class-map match-any SDM_ESP
          0 packets, 0 bytes
          30 second rate 0 bps
          Match: access-group name SDM_ESP
            0 packets, 0 bytes
            30 second rate 0 bps
      Pass
        668 packets, 72000 bytes

    Class-map: sdm-mgmt-cls-ccp-permit-0 (match-all)
      Match: class-map match-any sdm-mgmt-cls-0
        Match: class-map match-any SDM_SHELL
          0 packets, 0 bytes
          30 second rate 0 bps
          Match: access-group name SDM_SHELL
            0 packets, 0 bytes
            30 second rate 0 bps
        Match: class-map match-any SDM_SSH
          0 packets, 0 bytes
          30 second rate 0 bps
          Match: access-group name SDM_SSH
            0 packets, 0 bytes
            30 second rate 0 bps
        Match: class-map match-any SDM_HTTPS
          0 packets, 0 bytes
          30 second rate 0 bps
          Match: access-group name SDM_HTTPS
            0 packets, 0 bytes
            30 second rate 0 bps
        Match: protocol telnet
          0 packets, 0 bytes
          30 second rate 0 bps
      Match: access-group 103
      Pass
        20 packets, 576 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        978 packets, 386061 bytes

Any Help?

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to paul.adam

‎09-30-2010 08:47 AM

Hmmm.. that's interesting.. is the action still configured as "inspect" or has it been changed to "pass"?

policy-map type inspect ccp-permit

class  type inspect sdm-mgmt-cls-ccp-permit-0
  inspect

This is the section i am referring to. From the output posted above i see it as pass. Please paste the output of "show run policy-map type inspect ccp-permit" over here. Also, i noticed from the above output that the class-map sdm-mgmt-cls-ccp-permit-0 has been changed to match-any from match-all. That should not really make a difference.

Please do change the action to "inspect" if it is showing as "pass".

Let me know if it works.

Regards,

Prapanch

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to paul.adam

‎10-01-2010 05:14 AM

Hey Paul,

Did the above work?

Regards,

Prapanch

0 Helpful

Go to solution
paul.adam
Level 1
Level 1
In response to praprama

‎10-01-2010 05:18 AM

Hi Prapanch, was unable to get a PC free at the site to use (accessing the PC's remotely with Team Viewer).

Hopefully I will get one free today.

Thanks

Paul

0 Helpful

Go to solution
paul.adam
Level 1
Level 1
In response to praprama

‎10-01-2010 05:57 AM

Prapanch - you are a genius!!!!

Working perfectly!

Think part of the confusion may have come from me applying the config to the other branch router in the first place - which should have been identical to the main router but I need to have a closer look at see if there is indeed a difference??

Will keep you posted - If Im still having problems I will get back to you

Thanks

Paul

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to paul.adam

‎10-01-2010 06:01 AM

Hey Paul,

Glad to know i was of help!! Do get back if there's anything. If not, please ensure to mark this one as answered

Thanks and Regards,

Prapanch

0 Helpful

Go to solution
paul.adam
Level 1
Level 1
In response to praprama

‎10-01-2010 07:49 AM

Hi Prapanch - All is working perfectly now - The problem with the other branch was that during troubleshooting I had added the following statement into the sdm-mgmt-cls-0 class map

match protocol telnet

Adding this meant the class map could not be assigned the action "inspect" - removed this and it worked

Once again thanks for your help - I have marked this thread as answered!

Cheers

Paul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents