Hi Toshi,

First of all thanks for your suggestions. I tried what you suggested but got an error. Here is the exact copy from the router. Since it did not like the inspect command I tried pass but that did not work either. Any other suggestions?

Manny-2691(config)#class-map type inspect match-all SSH

Manny-2691(config-cmap)#match protocol ssh

Manny-2691(config-cmap)#!

Manny-2691(config-cmap)#policy-map type inspect sdm-permit

Manny-2691(config-pmap)#class type inspect SSH

Manny-2691(config-pmap-c)#inspect

%Protocol ssh configured in class-map SSH cannot be configured for the self zone. Please remove the protocol and retry

Manny-2691(config-pmap-c)#

Hi Manny,

Sorry That was my fault. It should be like this.

Manny-2691(config-pmap)#class type inspect SSH

Manny-2691(config-pmap-c)#pass

HTH,

Toshi

Hi Toshi,

The pass did not work either. Here is what I have in the config so far. I have attached a snapshot from SDM to see if it makes any sense.

Thanks for your help by the way. I am currently studying for my CCNA Security and is bugging the heck out of me.

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 103

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-insp-traffic

match class-map sdm-cls-insp-traffic

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 102

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any SDM-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any SDM-Voice

match protocol h323

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all SSH

match protocol ssh

class-map type inspect match-all GRE

match access-group 104

class-map type inspect match-all sdm-icmp-access

match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-invalid-src

match access-group 101

class-map type inspect match-all sdm-protocol-http

match protocol http

!

!

policy-map type inspect sdm-permit-icmpreply

class type inspect sdm-icmp-access

inspect

class type inspect SDM-Voice

inspect

class class-default

pass

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

inspect

class type inspect GRE

pass

class class-default

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

drop log

class type inspect sdm-insp-traffic

inspect

class type inspect sdm-protocol-http

inspect

class type inspect SDM-Voice-permit

inspect

class class-default

pass

policy-map type inspect sdm-permit

class type inspect SDM_VPN_PT

pass

class type inspect SDM-Voice

inspect

class type inspect SSH

pass

class class-default

drop log

!

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-VPNOutsideToInside-1

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

Hi Manny,

When you are trying to do SSH to the router then what's the exact error you got?

Edit: What is the exact ip address you are trying to use as a source ip address to do ssh to the router?

####################

access-list 105 remark VTY Access-class list

access-list 105 remark SDM_ACL Category=1

access-list 105 permit ip 10.1.1.0 0.0.0.255 any

access-list 105 permit ip 192.168.2.0 0.0.0.255 any

####################

For testing :

line vty 0 4

No access-class 105 in

Please let me know.

Toshi

Hi,

I got the error below when I tried putting the inspect command on the router under the policy-map. It did not like the inspect, so I tried the pass but that is still not letting me ssh into the router from a remote ip address. Here was the error.

%Protocol ssh configured in class-map SSH cannot be configured for the self zone. Please remove the protocol and retry.

Manny,

Well, It has to be "PASS".

What's the exact source ip address you are trying to do ssh to the router?

Let's see my previous post

Toshi

Ok here is the updated config. I have list the source IP in the access-list 105 for the VTY. It starts off with 99.xxxx.

Manny,

Without using Zone Base Firewall. Did you ever access the router by using SSH protocol? I've not seen any crypto key generated by the router.

Pleas let me know

Toshi

Toshi,

Yes, I have verified that the crypto keys are generate using the command "sh crypto key mypubkey rsa" or using the SDM. I have not been able to SSH using this configuration. If I use a simple config from scratch, I can. But when I start adding all the policys and class maps that's when I can't get back in.

Many,

Here is my last hope. let's try this first

!

policy-map type inspect sdm-permit

no class type inspect SSH

!

ip access-list extended SSH

permit tcp any any eq 22

!

class-map type inspect match-any SSH

match access-group name SDM_SSH

!

!

policy-map type inspect sdm-permit

class type inspect SSH

pass

!

OR

!

policy-map type inspect sdm-permit

no class type inspect SSH

!

ip access-list extended SSH

permit tcp any any eq 22

!

class-map type inspect match-any SSH

match access-group name SSH

!

class-map type inspect match-any access-to-router

match class-map SSH

!

policy-map type inspect sdm-permit

class type inspect access-to-router

inspect

!

Toshi

Toshi! You are a genius dude! The second option worked beautifully! I really appreciate your help.

Is there a book/resource that you used to learn this? I am going thu my CCNA security exam and it doesn't go to much into detail on Zone firewalls. I did buy the Cisco Deploying Zone-Based Firewalls book, but did not show an example of ssh access.

Now all that is left is allowing webserver/mail/ftp. Do you have any quick examples of that?

Thank again.

Manny

Manny,

Please check this link out. It may helps you.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/prod_white_papers_list.html

I'm now sleepy head. (grin)@4am.

Toshi

Thanks again!