class-map protocol misidentification

ChooseLife

It seems my router is not identifying some of the protocols properly. The two I found not to work are ssh and https. "match protocol ssh" and "match protocol https" in class-map blocks the traffic, replacing either one with "match protocol tcp" immediately allows the respective traffic through, so other components, like routing should not be affecting.

Both of these services are running on another Cisco router. ssh is ssh-v2, https is the regular "ip http secure-server".

ChooseLife

The relevant part of the config:

class-map type inspect match-any class-map-ICMP
 match protocol icmp
class-map type inspect match-any class-map-HTTPS
 match protocol https
 match protocol http
class-map type inspect match-any class-map-SSH
 match protocol ssh

policy-map type inspect policy-Allow
 class type inspect class-map-ICMP
  pass
 class type inspect class-map-HTTPS
  pass
 class type inspect class-map-SSH
  pass
 class class-default
  drop

zone security zone-Inside
zone security zone-Outside

zone-pair security Inside-to-Outside source zone-Inside destination zone-Outside
 service-policy type inspect policy-Allow
zone-pair security Outside-to-Inside source zone-Outside destination zone-Inside
 service-policy type inspect policy-Allow

interface FastEthernet4
 ip address 172.16.8.71 255.255.0.0
 zone-member security zone-Outside
 duplex auto
 speed auto
interface Vlan1
 ip address 192.168.2.87 255.255.255.0
 zone-member security zone-Inside

phoeneous

What model router? I didn't know you can apply zones to vlans. Aside from that everthing looks fine, are you saying that http and https traffic isnt being permitted?

SteveO86

Do you have nbar protocol discovery on?

If you issue the sh ip cache flow is the router showing any traffic on those ports/protocol types?

peanutnoggin

SteveO86 wrote: »

Do you have nbar protocol discovery on?
?

I'd second this question.. You can turn it on each interface with the ip nbar protocol-discovery. Also, run the command sh ip port-map ssh & sh ip port-map http just to be sure your router defined nbar discovery has the correct ports for the application defined.

phoeneous wrote: »

What model router?

If I had to guess... I would say an 800 series. On those routers Fa4 is the "WAN" port, while FA0-3 are your switchports. At least that's the case for my 877. HTH.

-Peanut

ChooseLife

This is indeed a C871 router. nbar was originally disabled, i have enabled it on vlan1 and fa4 interfaces, still no go...
sh ip port-map ssh, sh ip port-map http, sh ip port-map https all show correct ports (actually, ssh shows two lines - 22/tcp and 22/udp)

ChooseLife

After sitting down, inspecting traffic and doing some thinking (that always helps, doesn't it ), I found the reason: ZBF policies were set to pass, rather than inspect, and return traffic from server to client did not match "protocol ssh" or "protocol https". Changing the rules from pass to inspect fixed it. Another option would be to include a class-map for server-to-client traffic.