, , ,

When I attempted to allow SSH access on the zone-based firewall, I encountered a problem whereby the SSH protocol selection doesn’t do the job of allowing the SSH traffic to cross the zone.

I then tried using assigning extended access list for port 22 to the class-map and it still couldn’t work.

I then assigned the class-map with the extended access list to another class-map, and assign the new class-map to the policy-map instead of the old one and it worked.

ip access-list extended SSH-ACL
 permit any any eq 22
class-map type inspect match-any SSH-CLASS
 match access-group name SSH-ACL
class-map type inspect match-any SSH2-CLASS
 match class-map SSH-CLASS
policy-map type inspect SSH-POLICY
 class type inspect SSH2-CLASS
 class class-default
zone-pair security IN-OUT source IN-ZONE destination OUT-ZONE
 service-policy type inspect SSH-POLICY
zone-pair security OUT-IN source OUT-ZONE destination IN-ZONE
 service-policy type inspect SSH-POLICY