Hi Fred,

I guess it depends if your using snmp in the inside or outside?

I'm trying to get it working from the outside. I wasn't able to connect with the Cisco 871 from the outside with ssh but that is functioning know due to your solution. I was wondering if this also the case with monitoring from the outside because we want to monitor customers remotely.

I will try it later on tonight and let you know. I am fairly new to Zone-Based Firewalls. I would think to follow the same concept of ssh as in th example above. Post your config and maybe Toshi can comment on it.

here is my config;

Hi Fred,

Outside zone to self has a class-default that denies everything there by default. Yes! we can change it. You need to configure what you want to allow on your policy-map(sdm-permit). It can be either "Inspect" or "Pass" when using ACL to match traffic you want. Keep in mind when using a "PASS" keyword you then need to allow from self to Outside zone as well. That's why we prefer "Inspect" as we did before.

HTH,

Toshi

Hi Toshi,

Should i then also alter the next;

class-map type inspect match-any access-to-router

match class-map SSH

policy-map type inspect sdm-permit

class type inspect access-to-router

inspect

class class-default

it is not clear to me what to configure.

Hi All

I had exactly the same issue with enabling just SSH accesss to the router for remote control.

Only passing ssh traffic worked, inspecting would not work at all ...because of the following error :

%Protocol ssh configured in class-map classSSH cannot be configured for the self  zone. Please remove the protocol and retry