Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to allow SSH into Zone Based Firewall?

I am stuck in trying to figure out on how to allow a ssh connection from the outside to the wan uplink on my firwall. I just recently converted to the zone based. I have tried adding all different types of ways but no luck. Can someone help me out?

Let's say I wanted to configure a specific ip address from the internet to access the router only thru ssh.

22 REPLIES

Re: How to allow SSH into Zone Based Firewall?

Hi MANNY,

Just add commands I provided.

!

class-map type inspect match-all SSH

match protocol ssh

!

policy-map type inspect sdm-permit

class type inspect SSH

inspect

You may filter hosts to access this device by adding ACLs into into the class-map.

Please let us know how things work out.

HTH,

Toshi

New Member

Re: How to allow SSH into Zone Based Firewall?

Hi Toshi,

First of all thanks for your suggestions. I tried what you suggested but got an error. Here is the exact copy from the router. Since it did not like the inspect command I tried pass but that did not work either. Any other suggestions?

Manny-2691(config)#class-map type inspect match-all SSH

Manny-2691(config-cmap)#match protocol ssh

Manny-2691(config-cmap)#!

Manny-2691(config-cmap)#policy-map type inspect sdm-permit

Manny-2691(config-pmap)#class type inspect SSH

Manny-2691(config-pmap-c)#inspect

%Protocol ssh configured in class-map SSH cannot be configured for the self zone. Please remove the protocol and retry

Manny-2691(config-pmap-c)#

Re: How to allow SSH into Zone Based Firewall?

Hi Manny,

Sorry That was my fault. It should be like this.

Manny-2691(config-pmap)#class type inspect SSH

Manny-2691(config-pmap-c)#pass

HTH,

Toshi

New Member

Re: How to allow SSH into Zone Based Firewall?

Hi Toshi,

The pass did not work either. Here is what I have in the config so far. I have attached a snapshot from SDM to see if it makes any sense.

Thanks for your help by the way. I am currently studying for my CCNA Security and is bugging the heck out of me.

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 103

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-insp-traffic

match class-map sdm-cls-insp-traffic

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 102

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any SDM-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any SDM-Voice

match protocol h323

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all SSH

match protocol ssh

class-map type inspect match-all GRE

match access-group 104

class-map type inspect match-all sdm-icmp-access

match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-invalid-src

match access-group 101

class-map type inspect match-all sdm-protocol-http

match protocol http

!

!

policy-map type inspect sdm-permit-icmpreply

class type inspect sdm-icmp-access

inspect

class type inspect SDM-Voice

inspect

class class-default

pass

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

inspect

class type inspect GRE

pass

class class-default

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

drop log

class type inspect sdm-insp-traffic

inspect

class type inspect sdm-protocol-http

inspect

class type inspect SDM-Voice-permit

inspect

class class-default

pass

policy-map type inspect sdm-permit

class type inspect SDM_VPN_PT

pass

class type inspect SDM-Voice

inspect

class type inspect SSH

pass

class class-default

drop log

!

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-VPNOutsideToInside-1

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

Re: How to allow SSH into Zone Based Firewall?

Hi Manny,

When you are trying to do SSH to the router then what's the exact error you got?

Edit: What is the exact ip address you are trying to use as a source ip address to do ssh to the router?

####################

access-list 105 remark VTY Access-class list

access-list 105 remark SDM_ACL Category=1

access-list 105 permit ip 10.1.1.0 0.0.0.255 any

access-list 105 permit ip 192.168.2.0 0.0.0.255 any

####################

For testing :

line vty 0 4

No access-class 105 in

Please let me know.

Toshi

New Member

Re: How to allow SSH into Zone Based Firewall?

Hi,

I got the error below when I tried putting the inspect command on the router under the policy-map. It did not like the inspect, so I tried the pass but that is still not letting me ssh into the router from a remote ip address. Here was the error.

%Protocol ssh configured in class-map SSH cannot be configured for the self zone. Please remove the protocol and retry.

Re: How to allow SSH into Zone Based Firewall?

Manny,

Well, It has to be "PASS".

What's the exact source ip address you are trying to do ssh to the router?

Let's see my previous post

Toshi

New Member

Re: How to allow SSH into Zone Based Firewall?

Ok here is the updated config. I have list the source IP in the access-list 105 for the VTY. It starts off with 99.xxxx.

Re: How to allow SSH into Zone Based Firewall?

Manny,

Without using Zone Base Firewall. Did you ever access the router by using SSH protocol? I've not seen any crypto key generated by the router.

Pleas let me know

Toshi

New Member

Re: How to allow SSH into Zone Based Firewall?

Toshi,

Yes, I have verified that the crypto keys are generate using the command "sh crypto key mypubkey rsa" or using the SDM. I have not been able to SSH using this configuration. If I use a simple config from scratch, I can. But when I start adding all the policys and class maps that's when I can't get back in.

Re: How to allow SSH into Zone Based Firewall?

Many,

Here is my last hope. let's try this first

!

policy-map type inspect sdm-permit

no class type inspect SSH

!

ip access-list extended SSH

permit tcp any any eq 22

!

class-map type inspect match-any SSH

match access-group name SDM_SSH

!

!

policy-map type inspect sdm-permit

class type inspect SSH

pass

!

OR

!

policy-map type inspect sdm-permit

no class type inspect SSH

!

ip access-list extended SSH

permit tcp any any eq 22

!

class-map type inspect match-any SSH

match access-group name SSH

!

class-map type inspect match-any access-to-router

match class-map SSH

!

policy-map type inspect sdm-permit

class type inspect access-to-router

inspect

!

Toshi

New Member

Re: How to allow SSH into Zone Based Firewall?

Toshi! You are a genius dude! The second option worked beautifully! I really appreciate your help.

Is there a book/resource that you used to learn this? I am going thu my CCNA security exam and it doesn't go to much into detail on Zone firewalls. I did buy the Cisco Deploying Zone-Based Firewalls book, but did not show an example of ssh access.

Now all that is left is allowing webserver/mail/ftp. Do you have any quick examples of that?

Thank again.

Manny

Re: How to allow SSH into Zone Based Firewall?

Manny,

Please check this link out. It may helps you.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/prod_white_papers_list.html

I'm now sleepy head. (grin)@4am.

Toshi

New Member

Re: How to allow SSH into Zone Based Firewall?

Thanks again!

New Member

Re: How to allow SSH into Zone Based Firewall?

Does this also count for snmp because it seems that snmp is also blocked by default

New Member

Re: How to allow SSH into Zone Based Firewall?

Hi Fred,

I guess it depends if your using snmp in the inside or outside?

New Member

Re: How to allow SSH into Zone Based Firewall?

I'm trying to get it working from the outside. I wasn't able to connect with the Cisco 871 from the outside with ssh but that is functioning know due to your solution. I was wondering if this also the case with monitoring from the outside because we want to monitor customers remotely.

New Member

Re: How to allow SSH into Zone Based Firewall?

I will try it later on tonight and let you know. I am fairly new to Zone-Based Firewalls. I would think to follow the same concept of ssh as in th example above. Post your config and maybe Toshi can comment on it.

New Member

Re: How to allow SSH into Zone Based Firewall?

here is my config;

Re: How to allow SSH into Zone Based Firewall?

Hi Fred,

Outside zone to self has a class-default that denies everything there by default. Yes! we can change it. You need to configure what you want to allow on your policy-map(sdm-permit). It can be either "Inspect" or "Pass" when using ACL to match traffic you want. Keep in mind when using a "PASS" keyword you then need to allow from self to Outside zone as well. That's why we prefer "Inspect" as we did before.

HTH,

Toshi

New Member

Re: How to allow SSH into Zone Based Firewall?

Hi Toshi,

Should i then also alter the next;

class-map type inspect match-any access-to-router

match class-map SSH

policy-map type inspect sdm-permit

class type inspect access-to-router

inspect

class class-default

it is not clear to me what to configure.

New Member

Re: How to allow SSH into Zone Based Firewall?

Hi All

I had exactly the same issue with enabling just SSH accesss to the router for remote control.

Only passing ssh traffic worked, inspecting would not work at all ...because of the following error :

%Protocol ssh configured in class-map classSSH cannot be configured for the self  zone. Please remove the protocol and retry



we are talking about such a policy:

Policy Map type inspect policyOutsideToRouter
     Description: policy allowing  remote access to router
          Class classSSH
               Inspect
     Class class-default
     Drop  log


Can someone please explain why ssh traffic coming from WAN to self zone cannot be inspected, why it has to be passed ??

Thanks
Andrzej
3483
Views
0
Helpful
22
Replies