Search This Blog

Sunday, 1 August 2010

SSH to Cisco 1841 using route-map statements for PAT

I had a problem when using the Cisco 1841 router, I could not get access to the router from a remote location using ssh to the routers WAN IP.

I had been able to do this on the Cisco 877 but could not make it work on the 1841 router, after some head scratching and forum posting I was given a clue when I looked at the firewall logs. The logs showed that the packets were going to the router ok but on the return they were coming back from the wrong ports and this caused the packets to be dropped.

The firewall log is displayed here

%FW-6-DROP_PKT: Dropping tcp session 78.xx.xx.xx:3 86.xx.xxxx:45369 on zone-pair ccp-zp-self-out class ccp-icmp-access due to  Invalid Flags with ip ident 0

The log shows that the return packet has a source port of 3 but I know the connection entered on port 22 for ssh, so this means something has changed the packet source port before its return.

The answer is that NAT/PAT is involved and this is changing the packets on the return by PAT the packets back out of the ATM interface. The 8141 routers all use a route map so I can have two PAT statements and use the failover for the two ATM interfaces. So when the connection is made with ssh on port 22 the PAT statements are translating the traffic back out and this violates the ZBF rules and the packets get dropped.

To resolve this you have to use an ACL to allow the traffic you want PAT and deny everything else.

The current PAT statement and route maps are

ip nat inside source route-map O2 interface ATM0/0/0.1 overload

Route-map O2 permit 10
Match interface ATM0/0/0.1

So this route map needs to have an ACL added to only allow the traffic from my internal networks to be PAT. So I created a new ACL rule below

Access-list 120 ip permit 192.168.110.0 0.0.0.255 any
Access-list 120 ip deny any any

Route-map O2 permit 10
Match interface ATM0/0/0.1
Match ip address 120

Now that this ACL is added to the route map when the connection is made on port 22 the return traffic is matched against the route map ACL and this can see that the source IP is not in the 192.168.110./24 subnet so it is denied from being PAT and returns out of the ZBF with the correct source port and meets the ZBF inspection.

1 comment:

  1. I like your blog post. Keep on writing this type of great stuff. I'll make sure to follow up on your blog in the future.
    NAT/PAT|
    ISDN Configuration

    ReplyDelete