Options
class-map protocol misidentification
ChooseLife
Member Posts: 941 ■■■■■■■□□□
It seems my router is not identifying some of the protocols properly. The two I found not to work are ssh and https. "match protocol ssh" and "match protocol https" in class-map blocks the traffic, replacing either one with "match protocol tcp" immediately allows the respective traffic through, so other components, like routing should not be affecting.
Both of these services are running on another Cisco router. ssh is ssh-v2, https is the regular "ip http secure-server".
Both of these services are running on another Cisco router. ssh is ssh-v2, https is the regular "ip http secure-server".
“You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896
GetCertified4Less - discounted vouchers for certs
GetCertified4Less - discounted vouchers for certs
Comments
-
OptionsChooseLife Member Posts: 941 ■■■■■■■□□□The relevant part of the config:
class-map type inspect match-any class-map-ICMP match protocol icmp class-map type inspect match-any class-map-HTTPS match protocol https match protocol http class-map type inspect match-any class-map-SSH match protocol ssh policy-map type inspect policy-Allow class type inspect class-map-ICMP pass class type inspect class-map-HTTPS pass class type inspect class-map-SSH pass class class-default drop zone security zone-Inside zone security zone-Outside zone-pair security Inside-to-Outside source zone-Inside destination zone-Outside service-policy type inspect policy-Allow zone-pair security Outside-to-Inside source zone-Outside destination zone-Inside service-policy type inspect policy-Allow interface FastEthernet4 ip address 172.16.8.71 255.255.0.0 zone-member security zone-Outside duplex auto speed auto interface Vlan1 ip address 192.168.2.87 255.255.255.0 zone-member security zone-Inside
“You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896
GetCertified4Less - discounted vouchers for certs -
Optionsphoeneous Member Posts: 2,333 ■■■■■■■□□□What model router? I didn't know you can apply zones to vlans. Aside from that everthing looks fine, are you saying that http and https traffic isnt being permitted?
-
Optionspeanutnoggin Member Posts: 1,096 ■■■□□□□□□□Do you have nbar protocol discovery on?
?What model router?
-PeanutWe cannot have a superior democracy with an inferior education system!
-Mayor Cory Booker -
OptionsChooseLife Member Posts: 941 ■■■■■■■□□□This is indeed a C871 router. nbar was originally disabled, i have enabled it on vlan1 and fa4 interfaces, still no go...
sh ip port-map ssh, sh ip port-map http, sh ip port-map https all show correct ports (actually, ssh shows two lines - 22/tcp and 22/udp)“You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896
GetCertified4Less - discounted vouchers for certs -
OptionsChooseLife Member Posts: 941 ■■■■■■■□□□After sitting down, inspecting traffic and doing some thinking (that always helps, doesn't it ), I found the reason: ZBF policies were set to pass, rather than inspect, and return traffic from server to client did not match "protocol ssh" or "protocol https". Changing the rules from pass to inspect fixed it. Another option would be to include a class-map for server-to-client traffic.“You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896
GetCertified4Less - discounted vouchers for certs