cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4274
Views
5
Helpful
3
Replies

IOS Firewall: what is this class map doing?

cluovpemb
Level 1
Level 1

Hi, a few weeks ago I set up a class map but now as I am finding time to review my config, I am wondering what effect this has.  It is applied to a policy map for ssh access from the Internet to the router for management:

class-map type inspect match-any SSH

match protocol ssh

match access-group name SSH

The access list with the name "SSH" just allows certain public IP network blocks. 

But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct? 

Also just to ensure I am not confused about proper creation of the ACL.  The ACL with the name SSH I've given is as follows:

ip access-list extended SSH

permit tcp xx.xx.0.0 0.255.255.255 any eq 22

permit tcp xx.xx.0.0 0.7.255.255 any eq 22

permit tcp xx.xx.0.0 0.255.255.255 any eq 22

First, am I being redundant in the class map by telling it to match protocol ssh and also specifiying port 22 in the ACL? And, is this ACL readout done properly if I want only certain IP blocks to be able to come in from the Internet, to the router, using ssh? 

\

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Colin,

But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct?

Exactly you are getting it now It needs to be a match all....

Regarding the ACL should be like this:

access-list SSH

permit tcp host outside_user_ip host router_outside_interface eq 22

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Colin,

But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct?

Exactly you are getting it now It needs to be a match all....

Regarding the ACL should be like this:

access-list SSH

permit tcp host outside_user_ip host router_outside_interface eq 22

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Ok I set it to match-all.  However with the ACL, my office connection is on dynamic IP and so my ISP asigns IP in the address blocks that I've put into there. 

But now for the part about the router_outside_interface.  Setting this instead of saying "any" won't have problems iwth say, VPN or NAT or whatever else?  it's simplying saying that ssh will go to the outside interface and that's that? 

Hello Colin,

So dinamic Ip address ,got it.. Then you will need to do it as you have it before...

Correct,as it will be from out to self

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: