Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Class Maps, Policy Maps and why I cant SSH to my Dialer0 from Internet

All,

I have the following configuration snippet on my Cisco 881W that I cant make heads or tails of:

class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class class-default
  drop
policy-map type inspect ccp-permit
class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!

The above appears to only apply to my Dialer0 interface as given away by the following snippet of my dialer interface:

interface Dialer0
description $FW_OUTSIDE$
...
zone-member security out-zone

---------------

So here are my two questions:

1.)  What exactly is the above class-map, policy-map configuration doing?

2.)  Secondly, why is it keeping me from SSHing to my Dialer0 interface from the Internet?

(If I remove the 'zone-member security out-zone' from my Dialer0 interface, I can SSH in fine).

Any and all comments would be greatly appreciated!

Thanks very much!

James E

Everyone's tags (3)
9 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

High level overview on ZBFW:

1) Determine zone for each interface, in your case: in-zone for vlan 1, and out-zone for Dialer 0 interface

2) For every interface to communicate with others, you would need to configure zone pairing. In your case:

--Traffic sourcing from the router towards the out-zone (dialer0 interface), example: VPN traffic outbound, ping out from the router, outbound telnet from the router, etc:

zone-pair security ccp-zp-self-out source self destination out-zone
  service-policy type inspect ccp-permit-icmpreply

-- Traffic sourcing from in-zone (vlan 1 subnet) towards the internet (outside) - out-zone (out Dialer0 interface), example: host from VLAN 1 accessing the Internet:

zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect ccp-inspect

-- Traffic sourcing from out-zone (Internet) towards the router dialer0 interface, example: when trying to telnet/ssh into the router from the internet:

zone-pair security ccp-zp-out-self source out-zone destination self
  service-policy type inspect ccp-permit

3) Once you determine the zone-pair, you would need to determine policy for each of the zone pairing. From the above, the "service-policy" is the policy configuration that is assigned to that zone-pairing.

4) To configure policy, you would need to configure class-map to match the traffic that you would like to allow/inspect. For example: if you would like to allow http access from your internal zone towards the Internet, here is how you would configure it:

access-list 101 permit tcp any any eq 80

class-map  type inspect match-any http-class
  match access-group 101

policy-map type inspect outbound-policy
  class type inspect http-class
   inspect

zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect outbound-policy

You can only assign 1 policy to zone-pair, so if you need to add more policy, you just configure more class-map and configure it under the existing outbound-policy map.

From the above example, if you would like to allow SMTP traffic outbound, you can add the following:

class-map type inspect match-any smtp-class

     match protocol smtp

policy-map type inspect outbound-policy
   class type inspect smtp-class
    inspect

OR/ alternatively you can also add into the "http-class" that was configured as follows:

class-map  type inspect match-any http-class
   match access-group 101

  match protocol smtp

Hope that helps. Please rate useful post as for every rating, Cisco is matching $1 for the Haiti Earthquake. Thanks.

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

For the UDP/514 traffic, you can configure the following:

access-list 151 permit udp host host eq 514

class-map type inspect match-any udp514-class

     match access-group

policy-map type inspect inbound-policy
  class type inspect udp514-class
   inspect

zone-pair security ccp-zp-out-in source out-zone destination in-zone
  service-policy type inspect inbound-policy

Hope that helps.

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Totally right, forgot the access-list earlier. Apology.

Here is the correct statement:

access-list 151 permit udp host host  eq 514

class-map type inspect  match-any udp514-class

     match access-group 151

policy-map  type inspect inbound-policy
  class type inspect udp514-class
    inspect

zone-pair security ccp-zp-out-in source out-zone  destination in-zone
  service-policy type inspect inbound-policy

You do not need to specify "deny ip any any" because there is an implicit deny any statement at the end of all access-list.

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

1) Self zone means the router itself, ie: traffic to and from the router.

In your example: "zone-pair security ccp-zp-self-out source self destination  out-zone", that means traffic from the router towards the out-zone (Internet).

When this situation will be used is for example you would like to perform a ping test from the router towards the Internet, or you would like to test connectivity from the router towards the Internet on TCP port 80.

2) You are right. Originally you do not have zone-pair from out-zone to in-zone. However, when we configure the UDP/514 traffic, that is when the zone-pair is created as per my earlier post.

zone-pair security ccp-zp-out-in source out-zone  destination in-zone
   service-policy type inspect inbound-policy

That means, only UDP/514 that you have specified in access-list 151 will be allowed from the Internet towards your internal network. Anything else will be dropped.

3) You are right. On top of the above zone-pair configuration, you would also need to configure NAT statement.

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Please remove the "log" keyword at the end of your access-list, and try to add the "match access-group 151" again under the class-map.

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Under the class-map, you should be able to add the command "log" to log those:

class-map type inspect match-any udp514-class

     match access-group 151

     log

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

I assume that within the class-map you have match ACL 151, right?

If you check: sh run | s class-map

I assume based on the previous configuration, the class-map "udp514-class" would have ACL 151 under the match statement.

Anyway, without NAT translation configured, nothing inbound would be able to initiate connection except the specific NAT statement that you configure.

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Nothing to worry about. It just means that there is no specific application layer inspection for that protocol, therefore, it will just be inspected and allow to go through as normal UDP packet.

If you configure application layer specific protocol like SMTP (with "match protocol smtp" to match the traffic), it has application inteligence which would inspect the SMTP packet to only allow SMTP or restricted SMTP packet to pass through (for example: the normal HELO for an SMTP packet).

And since there is no specific application layer inspection for UDP/514 (syslog), it throws out that error message, that means it will inspect it as just a normal UDP packet.

Hope that answers your question.

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Here is the command to see the actual session:

show policy-map type inspect zone-pair ccp-zp-out-in sessions

24 REPLIES
Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

The reason why it is not allowing you to SSH in to Dialer0 interface is because you have the Zone Based Firewall (ZBFW) configured.

The following zone-pair is configured to drop the traffic:

zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit

policy-map type inspect ccp-permit
class class-default
  drop

Do you need the extra security configuration?

Hope that helps.

New Member

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Im not familar at all with the zone-based firewall approach on Cisco IOS.  I'm from the older school access-list days.

This was the default that came on the 881W that I bought.  I'm not really sure if I need it as long as it drops attempts sourced from the outside.

Although, I'd really like to be able to SSH to my Dialer interface from the outside.  Would you suggest that I just drop the zone-based firewall configuration or is there a simple tweak that I can make to it to accomodate the SSH without compromising my security position?

On a related note, what exactly is the zone based configuration doing for me with this config?

Thanks for the help!

James E

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

If you are not familiar with Zone Based FW, I would suggest that you remove it and apply it later when you need it. It is a complicated configuration that mimic the firewall configuration on router.

Here is some reading on ZBFW if you are interested:

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html

New Member

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Dear Halijenn,

Thanks very much for the response.  Could you give me a verbal desciption of the default Zone  Based Security Policy setup on my Cisco 881W router?  I've tried to  disect it, but am totally lost.  Here are the relevant config lines:

--------------------------------------

class-map  type inspect match-any ccp-cls-insp-traffic
  match protocol cuseeme
  match protocol dns
  match protocol ftp
  match protocol h323
  match protocol https
  match protocol icmp
  match protocol imap
  match protocol pop3
  match protocol netshow
  match protocol shell
  match protocol realmedia
  match protocol rtsp
  match protocol smtp extended
  match protocol sql-net
  match protocol streamworks
  match protocol tftp
  match protocol vdolive
  match protocol tcp
  match protocol udp
class-map type inspect match-all ccp-insp-traffic
  match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
  match protocol icmp
  match protocol tcp
  match protocol udp
class-map type inspect match-all ccp-invalid-src
  match access-group 100
class-map type inspect match-all ccp-icmp-access
  match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
  match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
  class type inspect ccp-icmp-access
   inspect
  class class-default
   pass
policy-map type inspect ccp-inspect
  class type inspect ccp-invalid-src
   drop log
  class type inspect ccp-protocol-http
   inspect
  class type inspect ccp-insp-traffic
   inspect
  class class-default
   drop
policy-map type inspect ccp-permit
  class class-default
   drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
  service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
  service-policy type inspect ccp-permit

!

interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
  ip address 192.168.1.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly
  zone-member security in-zone
  ip tcp adjust-mss 1412

!

interface Dialer0
  description $FW_OUTSIDE$
  ip address negotiated
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip mtu 1452
  ip flow ingress
  ip nat outside
  ip virtual-reassembly
  zone-member security out-zone
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  no cdp enable
  ppp authentication chap callin
  ppp chap hostname XXXXXXXXX
  ppp chap password 7 XXXXXXXXX
!

-------------------------------------------

In  addition to understanding how this is setup on my inside and outside  interfaces, I want to add a rule that allows UDP 514 from specific  Internet hosts via Dialer0) to the inside of my network in Vlan1.  So,  any additional comments on that would also be helpful.

Thank  you very much for the help!

James E

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

High level overview on ZBFW:

1) Determine zone for each interface, in your case: in-zone for vlan 1, and out-zone for Dialer 0 interface

2) For every interface to communicate with others, you would need to configure zone pairing. In your case:

--Traffic sourcing from the router towards the out-zone (dialer0 interface), example: VPN traffic outbound, ping out from the router, outbound telnet from the router, etc:

zone-pair security ccp-zp-self-out source self destination out-zone
  service-policy type inspect ccp-permit-icmpreply

-- Traffic sourcing from in-zone (vlan 1 subnet) towards the internet (outside) - out-zone (out Dialer0 interface), example: host from VLAN 1 accessing the Internet:

zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect ccp-inspect

-- Traffic sourcing from out-zone (Internet) towards the router dialer0 interface, example: when trying to telnet/ssh into the router from the internet:

zone-pair security ccp-zp-out-self source out-zone destination self
  service-policy type inspect ccp-permit

3) Once you determine the zone-pair, you would need to determine policy for each of the zone pairing. From the above, the "service-policy" is the policy configuration that is assigned to that zone-pairing.

4) To configure policy, you would need to configure class-map to match the traffic that you would like to allow/inspect. For example: if you would like to allow http access from your internal zone towards the Internet, here is how you would configure it:

access-list 101 permit tcp any any eq 80

class-map  type inspect match-any http-class
  match access-group 101

policy-map type inspect outbound-policy
  class type inspect http-class
   inspect

zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect outbound-policy

You can only assign 1 policy to zone-pair, so if you need to add more policy, you just configure more class-map and configure it under the existing outbound-policy map.

From the above example, if you would like to allow SMTP traffic outbound, you can add the following:

class-map type inspect match-any smtp-class

     match protocol smtp

policy-map type inspect outbound-policy
   class type inspect smtp-class
    inspect

OR/ alternatively you can also add into the "http-class" that was configured as follows:

class-map  type inspect match-any http-class
   match access-group 101

  match protocol smtp

Hope that helps. Please rate useful post as for every rating, Cisco is matching $1 for the Haiti Earthquake. Thanks.

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

For the UDP/514 traffic, you can configure the following:

access-list 151 permit udp host host eq 514

class-map type inspect match-any udp514-class

     match access-group

policy-map type inspect inbound-policy
  class type inspect udp514-class
   inspect

zone-pair security ccp-zp-out-in source out-zone destination in-zone
  service-policy type inspect inbound-policy

Hope that helps.

New Member

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Halijenn,

Thanks.  Looking at your config, I was wondering if you were accidentally missing some config lines / parameters.  I think I've added them in bold:

access-list 151 permit udp host host  eq 514

access-list 151 deny any any

(I'm only interested in UDP 514 from a specific host and want to drop all other attempts)

class-map type inspect  match-any udp514-class

match access-group 151

(I think that you have to specify the access-list 151 here)

Can you confirm?  Thanks!

James

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Totally right, forgot the access-list earlier. Apology.

Here is the correct statement:

access-list 151 permit udp host host  eq 514

class-map type inspect  match-any udp514-class

     match access-group 151

policy-map  type inspect inbound-policy
  class type inspect udp514-class
    inspect

zone-pair security ccp-zp-out-in source out-zone  destination in-zone
  service-policy type inspect inbound-policy

You do not need to specify "deny ip any any" because there is an implicit deny any statement at the end of all access-list.

New Member

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Thanks.  Two more questions...

1.)  What do the references to "source self" mean?

For example:

zone-pair security ccp-zp-self-out source self destination out-zone

2.)  Also, I noticed that in my zone-pairs, there is no "source out-zone destination in-zone" pair.  Here are the pairs from the config:

zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply

zone-pair security  ccp-zp-in-out source in-zone destination out-zone
service-policy  type inspect ccp-inspect

zone-pair security ccp-zp-out-self source  out-zone destination self
service-policy type inspect ccp-permit

With this being the case, that must mean that such a pairing does NOT exist.  Therefore, does this mean that all traffic sourced from outside and attempts to speak to the inside is dropped?  I know that this probably seems obvious.  But, I just want to double check.

If I create the pairing that you suggested below, I think that I also need to create a NAT rule to get the UDP 514 traffic to my Syslog box, which exists in Vlan1.  Let me know if there are any other config lines I need to get this done beyond a single NAT statement.

Thanks again for the help!!!

James

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

1) Self zone means the router itself, ie: traffic to and from the router.

In your example: "zone-pair security ccp-zp-self-out source self destination  out-zone", that means traffic from the router towards the out-zone (Internet).

When this situation will be used is for example you would like to perform a ping test from the router towards the Internet, or you would like to test connectivity from the router towards the Internet on TCP port 80.

2) You are right. Originally you do not have zone-pair from out-zone to in-zone. However, when we configure the UDP/514 traffic, that is when the zone-pair is created as per my earlier post.

zone-pair security ccp-zp-out-in source out-zone  destination in-zone
   service-policy type inspect inbound-policy

That means, only UDP/514 that you have specified in access-list 151 will be allowed from the Internet towards your internal network. Anything else will be dropped.

3) You are right. On top of the above zone-pair configuration, you would also need to configure NAT statement.

New Member

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

I think we've almost got it.  But, something isnt quite right just yet.  I hope you can still help me!

So, I added all of the configuration lines you suggested so I could allow UDP 514 from the outside to the inside. However, there appears to be one problem.  No matter how many times I try, I cannot add the match access-group 151 line underneath the "class-map type inspect match-any udp514-class".  It allows me to type in the line, but does not add it to the configuration.

Here is the resulting configuration:

class-map type inspect match-any udp514-class (notice the missing match access-group 151 line)

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class class-default

  drop

policy-map type inspect inbound-policy

class type inspect udp514-class

  inspect

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-out-in source out-zone destination in-zone

service-policy type inspect inbound-policy

access-list 151 permit udp any host 74.233.55.33 eq syslog log

---------------------------

Any ideas on what I'm doing wrong when I try to input that match access-group 151 line?

James

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Please remove the "log" keyword at the end of your access-list, and try to add the "match access-group 151" again under the class-map.

New Member

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Thanks.  That did it.

Can you advise me on how to correctly configure the policy so that any hits are logged?

I want to make sure that I can view hits to the policy when I perform a "show log."

Thanks again for the help!

James

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Under the class-map, you should be able to add the command "log" to log those:

class-map type inspect match-any udp514-class

     match access-group 151

     log

New Member

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Thanks.  Here's another one for you since you are on fire! 

After I input the following lines:

policy-map type inspect inbound-policy
class type inspect udp514-class
inspect

I receive the following message:

%No specific protocol configured in class udp514-class for inspection. All protocols will be inspected

Is this what you expected as part of your recommended configuration?  I would think that the intent is to only examine the protocol of interest, which in this case is UDP 514.  No?

James

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

I assume that within the class-map you have match ACL 151, right?

If you check: sh run | s class-map

I assume based on the previous configuration, the class-map "udp514-class" would have ACL 151 under the match statement.

Anyway, without NAT translation configured, nothing inbound would be able to initiate connection except the specific NAT statement that you configure.

New Member

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

I have the class-map as such:

class-map type inspect match-any udp514-class

     match access-group 151

Also, when I attempt to add "log" as you recommended, I'm receiving the following error message suggesting that I'm attempting an invalid configuration command:

------------------------

% Invalid input detected at '^' marker.

Here is the full output when I attempt the configuration:

------------------------------

Cisco(config)#class-map type inspect match-any udp514-class
Cisco(config-cmap)#match access-group 151
Cisco(config-cmap)#log
                   ^
% Invalid input detected at '^' marker.

Cisco(config-cmap)#

------------------------

I'd really like to be able to "log" the matches.

Thanks!

James

New Member

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Also, when I attempt to add "log" as you recommended, I'm receiving the following error message suggesting that I'm attempting an invalid configuration command:

% Invalid input detected at '^' marker.

Here is the full output:

------------------------------

Cisco(config)#class-map type inspect match-any udp514-class
Cisco(config-cmap)#match access-group 151
Cisco(config-cmap)#log
                   ^
% Invalid input detected at '^' marker.

Cisco(config-cmap)#

------------------------------

Any ideas?

James

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

The inspect traffic should by default already logging without having to specify the logging. Only the "drop" action needs to have the logging specified.

New Member

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Thanks.  Any final thoughts about this:

---------------------------

After I input the following lines:

policy-map type inspect  inbound-policy
class type inspect udp514-class
inspect

I receive  the following message:

%No specific protocol configured in class  udp514-class for inspection. All protocols will be inspected

Is this  what you expected as part of your recommended configuration?  I would  think that the intent is to only examine the protocol of interest, which  in this case is UDP 514.  No?

---------------------------

As you double checking with me earlier, I do have access-list 151 under the class-map.  So, I'm at a loss.

I've rated your responses!  So thank you for the help!

James

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Nothing to worry about. It just means that there is no specific application layer inspection for that protocol, therefore, it will just be inspected and allow to go through as normal UDP packet.

If you configure application layer specific protocol like SMTP (with "match protocol smtp" to match the traffic), it has application inteligence which would inspect the SMTP packet to only allow SMTP or restricted SMTP packet to pass through (for example: the normal HELO for an SMTP packet).

And since there is no specific application layer inspection for UDP/514 (syslog), it throws out that error message, that means it will inspect it as just a normal UDP packet.

Hope that answers your question.

New Member

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Thanks. What's the best command to run at the command prompt to

verify that the rules are logging permitted traffic for this specific

rule allowing Syslog from the outside?

James

On Mar 30, 2010, at 11:22 PM, halijenn

New Member

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

In particular, I want to verify the source ip addresses of inbound

data from within the syslogs of the router assuming that is captured

when these rules are triggered. Thanks.

James

On Mar 30, 2010, at 11:22 PM, halijenn

Cisco Employee

Re: Class Maps, Policy Maps and why I cant SSH to my Dialer0 fro

Here is the command to see the actual session:

show policy-map type inspect zone-pair ccp-zp-out-in sessions

1202
Views
10
Helpful
24
Replies
CreatePlease to create content