Solved: Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro - Page 2

jaesposito · ‎03-25-2010

All,

I have the following configuration snippet on my Cisco 881W that I cant make heads or tails of:

class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!

The above appears to only apply to my Dialer0 interface as given away by the following snippet of my dialer interface:

interface Dialer0
description $FW_OUTSIDE$
...
zone-member security out-zone

---------------

So here are my two questions:

1.) What exactly is the above class-map, policy-map configuration doing?

2.) Secondly, why is it keeping me from SSHing to my Dialer0 interface from the Internet?

(If I remove the 'zone-member security out-zone' from my Dialer0 interface, I can SSH in fine).

Any and all comments would be greatly appreciated!

Thanks very much!

James E

jaesposito · ‎03-29-2010

Thanks. Here's another one for you since you are on fire!

After I input the following lines:

policy-map type inspect inbound-policy
class type inspect udp514-class
inspect

I receive the following message:

%No specific protocol configured in class udp514-class for inspection. All protocols will be inspected

Is this what you expected as part of your recommended configuration? I would think that the intent is to only examine the protocol of interest, which in this case is UDP 514. No?

James

Jennifer Halim · ‎03-29-2010

I assume that within the class-map you have match ACL 151, right?

If you check: sh run | s class-map

I assume based on the previous configuration, the class-map "udp514-class" would have ACL 151 under the match statement.

Anyway, without NAT translation configured, nothing inbound would be able to initiate connection except the specific NAT statement that you configure.

jaesposito · ‎03-30-2010

I have the class-map as such:

class-map type inspect match-any udp514-class

match access-group 151

Also, when I attempt to add "log" as you recommended, I'm receiving the following error message suggesting that I'm attempting an invalid configuration command:

------------------------

% Invalid input detected at '^' marker.

Here is the full output when I attempt the configuration:

------------------------------

Cisco(config)#class-map type inspect match-any udp514-class
Cisco(config-cmap)#match access-group 151
Cisco(config-cmap)#log
^
% Invalid input detected at '^' marker.

Cisco(config-cmap)#

------------------------

I'd really like to be able to "log" the matches.

Thanks!

James

jaesposito · ‎03-29-2010

Also, when I attempt to add "log" as you recommended, I'm receiving the following error message suggesting that I'm attempting an invalid configuration command:

% Invalid input detected at '^' marker.

Here is the full output:

------------------------------

Cisco(config)#class-map type inspect match-any udp514-class
Cisco(config-cmap)#match access-group 151
Cisco(config-cmap)#log
^
% Invalid input detected at '^' marker.

Cisco(config-cmap)#

------------------------------

Any ideas?

James

Jennifer Halim · ‎03-30-2010

The inspect traffic should by default already logging without having to specify the logging. Only the "drop" action needs to have the logging specified.

jaesposito · ‎03-30-2010

Thanks. Any final thoughts about this:

---------------------------

After I input the following lines:

policy-map type inspect inbound-policy
class type inspect udp514-class
inspect

I receive the following message:

%No specific protocol configured in class udp514-class for inspection. All protocols will be inspected

Is this what you expected as part of your recommended configuration? I would think that the intent is to only examine the protocol of interest, which in this case is UDP 514. No?

---------------------------

As you double checking with me earlier, I do have access-list 151 under the class-map. So, I'm at a loss.

I've rated your responses! So thank you for the help!

James

Jennifer Halim · ‎03-30-2010

Nothing to worry about. It just means that there is no specific application layer inspection for that protocol, therefore, it will just be inspected and allow to go through as normal UDP packet.

If you configure application layer specific protocol like SMTP (with "match protocol smtp" to match the traffic), it has application inteligence which would inspect the SMTP packet to only allow SMTP or restricted SMTP packet to pass through (for example: the normal HELO for an SMTP packet).

And since there is no specific application layer inspection for UDP/514 (syslog), it throws out that error message, that means it will inspect it as just a normal UDP packet.

Hope that answers your question.

jaesposito · ‎03-30-2010

Thanks. What's the best command to run at the command prompt to

verify that the rules are logging permitted traffic for this specific

rule allowing Syslog from the outside?

James

On Mar 30, 2010, at 11:22 PM, halijenn

jaesposito · ‎03-30-2010

In particular, I want to verify the source ip addresses of inbound

data from within the syslogs of the router assuming that is captured

when these rules are triggered. Thanks.

James

On Mar 30, 2010, at 11:22 PM, halijenn

Jennifer Halim · ‎03-30-2010

Here is the command to see the actual session:

show policy-map type inspect zone-pair ccp-zp-out-in sessions

Class Maps, Policy Maps and why I cant SSH to my Dialer0 from Internet