IOS Firewall: what is this class map doing?

Hi, a few weeks ago I set up a class map but now as I am finding time to review my config, I am wondering what effect this has.  It is applied to a policy map for ssh access from the Internet to the router for management:
class-map type inspect match-any SSH
match protocol ssh
match access-group name SSH
The access list with the name "SSH" just allows certain public IP network blocks. 
But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct? 
Also just to ensure I am not confused about proper creation of the ACL.  The ACL with the name SSH I've given is as follows:
ip access-list extended SSH
permit tcp xx.xx.0.0 0.255.255.255 any eq 22
permit tcp xx.xx.0.0 0.7.255.255 any eq 22
permit tcp xx.xx.0.0 0.255.255.255 any eq 22
First, am I being redundant in the class map by telling it to match protocol ssh and also specifiying port 22 in the ACL? And, is this ACL readout done properly if I want only certain IP blocks to be able to come in from the Internet, to the router, using ssh? 

Hello Colin,
But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct?
Exactly you are getting it now It needs to be a match all....
Regarding the ACL should be like this:
access-list SSH
permit tcp host outside_user_ip host router_outside_interface eq 22
Regards,

Similar Messages

  • Android.process.acore?  What is this and why does it keep not working?

    Help: I've had my Lucid 3 phone since May and this phone has been the most confusing thing to operate.  I'm currently having three (3) issues:
    The Wi-Fi is not working...I keep getting the symbol refreshing.  I can't turn the Wi-Fi on or off.  I read "Turning Wi-Fi on..." when I go to the setting for Wi-Fi but this has been going on for 3 hours.  C'mon!  My Wi-Fi at home is working great; that's how I'm writing this post. Help!
    To add to the misery: I keep getting a pop-up notification that reads: "Unfortunately, the android.process.acore has stopped."  What is this and why does it not work. The phone's been getting this message for a week now...help!
    Last concern: I'm still not getting multimedia texts (particularly pictures).  The data and Wi-Fi were on...well, that's when the Wi-Fi was working (please refer to complaint #1 above).  What the heck?
    This phone is terrible news and I can't wait to replace it.  In the meantime, the phone needs to work. Help.
    -Salo

        We certainly want to clear up all the confusion and have a working phone in your hands, srodezno. Let's take this one issue at a time:
    1. How long ago did this trouble with WiFi start? Are you able to connect to any alternate WiFi signals other than the one at home?
    2. Do you get that notification when you access anything in particular? Did it begin when you updated or installed any application?
    3. Are you still able to access other data services (web, apps, Play Store, etc) while the WiFi is off/not working? Are you able to send the MMS messages?
    JenniferH_VZW
    Follow us on Twitter www.twitter.com/vzwsupport

  • Class-map does not support match protocol ssl

    I have several 1941/k9's that do not have the class-map command: to suppot ssl.  System image is c1900-universalk9-mz.SPA.152-1.T.bin.
    class-map match-any af31
    match protocol ssl  <-- missing.
    I did some google searches but come up with nothing. 
    Is the fix to upgrade IOS?  I have found it on other routers running c1900-universalk9-mz.SPA.152-4.M4.bin.  I would just upgrade and check but have an extensive change review board with questions before doing so.
    Thanks for advice,
    Haydn

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    I'm not current on NBAR (or NBAR 2), but NBAR used to support loadable modules (PDMs?).  Sometimes Cisco would provide those so you could add match protocols without upgrading your IOS.
    Otherwise the "fix" would be to upgrade your IOS.
    Lastly, depending on what it matching SSL really means to you, using port based ACLs might suffice (in fact, some NBAR match protocol is only really that, but some NBAR matches regardless of the port usage).
    PS:
    Also on the subject of SSL, don't forget much can use it.  I once matched on it for the purposes of providing secure shell higher queuing priority, worked great for SSH, not so great when secure copy (SCP) also matched against it.

  • When turning pages in catalog in safari messages comes up "Are you sure you want to send a form again? it then asks if I want to cancel or resend form? what is this and why does it pop up?

    When turning pages in catalog in safari, message comes up "Are you sure  you want to send a form again? It then asks if I want to cancel or resend form? What is this and what am I doing wrong? I'm obviously new to mac.

    You can turn that off if you want ..
    From your Safari menu bar top of your screen click Safari > Preferences  then select the Security tab.
    Deselect:   Ask before sendinga a non-secure form from a secure a secure website

  • Menu Object; MANUAL option. What is this, and how does it work?

    What is this... and, how does it work? Can't find documentation on this.

    My knee-jerk reaction is, "are f'n kidding me?"... but, of course, you're not.
    I must say, that is an incredibly useless option. How would that 'option" differ from simply making a text object (or text/rectangle/image combo or group) and creating a link?
    What got me looking at this option was the hope to find some way to insert a dynamic "field" that could be used on a master page to display the current page title (of a page based on that master). Something similar to Word (and other applications) that you can enter information into a document property and then insert that information anywhere within the document by using a field code for that info. I don't know if there is an HTML code that could be used to accomplish this, in this case. Something that would refer to the page title.
    Thanks for the info none-the-less.

  • Nsurlsessiond - what is this and why does it use alot of data?

    Hello
    Firstly
    I was in a public library, uploading to my dropbox account, and all of sudden my network speed indicator/ montior showed heaps of download and fast too.
    but i was not downloading anything.
    I was upping to my dropbox account.
    In activity monitor i noticed this service was operating "nsurlsessiond"
    What is this service?
    In my connection alert it tells me nsurlsessiond tried to establish a connection to apple-dnld.vo.llnwd.net on TCP port 80 (http)
    Secondly, i was using my own wifi, and saw this nsurlsessiond service consuming heaps of data. Again I was upping to my dropbox account. About 1gb this time.
    Now I have blocked communciation to "nsurlsessiond"
    What is the impact of blocking such communication?
    please see details of service in screenshot
    Now after this experience, I am wondering is it apple policy to have communication from our macbook's to somwhere without us knowingly allowing it?  I thought apple was respective of our privacy, or has this changed?
    thankyou for your help and time.
    regards
    10.10.2
    dropbox v3.4.4
    macbook pro
    Message was edited by: seaseasea added screenshot
    Message was edited by: seaseasea
    added device and osx

    i couldnt say. it was just that i happen to be only upping, to dropbox, and then saw downloading on the monitor.
    that was triggered as odd.
    i rarely look at what services are going on... only if my macbook slows down or something else odd.
    in both cases i was only upping to dropbox.
    i dont do alot with my macbook, other than upping to dropbox laterly.
    thankyou for your thinking and help.

  • What is br class="clearfloat" / doing in my code?

    I'm using Dreamweaver and am assuming that at some point DW put this code in for some purpose because I don't remember adding it. My question is, do I need this line and if so is there some place else I can put it so that it doesn't add the extra space?

    Mike-H wrote:
    I agree with David. They are part of the predefined layouts.If you look at the css, the break has a height of 0 and the font-size is 1 pixel, so it will render as virtually invisible.
    I'm curious, though. Murray, where in your CSS would you put the overflow: hidden; ? In the opening of the next div or section of your code? I don't yet know enough about what the overflow does. I do understand what happens with the <br class="clearfloat"> line that is in the layouts. How does the overflow: hidden differ?
    Thanks,
    Mike
    (p.s. good to see Murray and David here. There is a glimmer of hope that we might still learn more. ).
    Thanks for your reassurances, although I have to say that this forum is not my preferred way of doing things.
    You would apply that style to the container of the floats, e.g.,
    <div style="border:1px solid red;">
       <p style="float:right;"><img width="100" height="100" src="">foo</p>
    </div>
    In this case, you'd see a thin red line above the "foo", which is the bordered div collapsed (there is no non-floated content to hold it open.
    But change that to this -
    <div style="overflow:hidden;border:1px solid red;">
       <p style="float:right;"><img width="100" height="100" src="">foo</p>
    </div>
    and you will see the container expand to contain its content.  Using Stephanie's markup it would be this -
    <div style="border:1px solid red;">
       <p style="float:right;"><img width="100" height="100" src="">foo</p>
      <br class="clearfloat" />
    </div>
    The difference is that it's cleaner (I think) to do this in the CSS rather than in the markup.  In addition, you add space to the container when you add the <br />.

  • What is this Java-code doing?

    I tried to find out what this part of a JAVA code is doing.
    I think that there are the two Strings 'target' and 'phrase'
    declared and initialized, however, what is the value of each
    of these two Strings then respectively what is the return value??
    Here youe see the code:
    1:....
    2: private String O00OoO0O0oOoo00O00oo(String target, String phrase)
    3: {
    4: for(; target.length() > phrase.length(); phrase += phrase);
    5: String s1 = "";
    6: for(int i = 0; i < target.length(); i++)
    7: s1 = s1 + "" + (char)((phrase.charAt(i) + target.charAt 8: (i)) - i);
    9:
    10: return s1;
    11: }
    thx for help!

    I wrote the following program :
    public static void{
    1: private String abcdefghabcdefgh(String target, String phrase)
    2: {  
    3: for(; target.length() > phrase.length(); phrase += phrase);
    4: String a = "";
    5: for(int i = 0; i < target.length(); i++)
    6: a = a + "" + (char)(target.charAt(i) - phrase.charAt(i) - i);
    7: System.out.println(a);
    8: return a;
    9: }
    10: String pass="xxxx";
    11: String ssap="oooo";
    12: String test = "";
    13: test = abcdefghabcdefgh(pass, ssap);
    14: System.out.println(test);
    15:}
    But I always got an error when I tried to compile it...
    and i tried to find out for hours a de5cription for this function...
    Actually I found the de5cription for String(String original) in the
    API documentation, and I think this is what I wrote in line 1...
    I tried so much versions so that this function would work...
    but it didn't at all. (Actually I think that I importet all the java classes
    I need). What the hell are I'm doing Wrong???!!!

  • EP: BP_ERP5*** what is this relevant for / does it have dependencies?

    Hi Experts,
    since I've recently asked our basis Team to upgrade the Portal Components and BPs, we've stumbled upon this BP "sap.com  BP_ERP5***". I tried to gather information about it too see what it's actually good for;The following is what I've concluded now, please verify I'm correct:
    1. BP_ERP5*** does not have a dependency on an XSS Java component unlike BP_ERP5ESS, BP_ERP5MSS and BP_ERP5COM which all have a corresponding JAVA component.
    2. BP_ERP5*** only implements the Administrator Self Service ROLE in Portal, it does nothing else considering Portal content.
    3. BP_ERP5*** has no dependencies whatsoever to any other Business Packages / Java Components / Portal Content, etc.
    4. BP_ERP5*** has merely the function to develope JAVA FPM Applications and such.
    Final Question: In case I've never (knowingly) used this BP and (obviously) don't even really know what it is, can it be undeployed without dealing any damage/harm to anything else on the Portal? (yeah, sounds a little overcautious..)
    It would be a shame to just "let it be" and have it eat memory although we might not really need it...
    best regards, Lukas

    Hi Siddarth,
    thanks for your response. The wiki is known to me, as is the help. I should have posted this in my opening post...
    I also understood this BP is used for JAVA FPM development. This isn't important for us as we'll only build FPM applications in the Futre with WD4A. Hence I try to formulate my question more clearly:
    On our system we have:
    Backend: ECC 600 EHP4 SP32
    Portal:
    BP_ERP5***  1.0 SP17 --> ???
    BP_ERP5COM  1.41 SP8 --> SAPPCUI_GP  603 SP8
    BP_ERP5ESS  1.41 SP9 -->  SAP_ESS  603 SP8
    BP_ERP5MSS  1.41 SP9 --> SAP_MSS  600 SP19
    We do not develope JAVA FPM applications. Can we just undeploy "BP_ERP5***  1.0 SP17" without affecting any existing components / developments. It has been deployed long before I enetered the company, I never used it and nobody knows if we can't just get rid of it to save memory.
    hope I clarified a bit..
    regards, Lukas

  • Error code 2324, what is this and how does one fix the issue?, error code 2324, what is this and how does one fix the issue?, error code 2324, what is this and how does one fix the issue?

    How does one fix error code 2324 that I receive each time I attempt to upgrade my iTunes.  Of course now iTunes will not work until this issue is fixed.  Thanks, D

    Let's try the fixit from the following Microsoft document with that one:
    Fix problems with programs that can't be installed or uninstalled

  • I am trying to upload pictures to website, but get an error message saying that server redirection is not suppoerted. What is this, and why does it happen? I've never had this problem before and it started after Firefox update yesterday.

    Trying to upload pictures to a website, but it doesn't work. After going thru the whole process, I get a message saying; the server attempted to redirect you. Server redirection is not supported. This only happened after I updated Firefox. Never had this problem before.

    Dear Jody..jone5
    Good for you that can't update your iphone because I did it and my iphone dosen't work for example I can't download any app like Wecaht or Twitter..
    Goodluck
    Atousa

  • ACE: a class-map with multiple ports... what about the probe/serverfarm?

    Hello Gilles,
    One question about something I was not able to find in the documentation.
    Lets say I have one class-map which includes 2 ports (in this case https and 5061).
    Can I associate this class-map to just 1 generic serverfarm and probe for both ports or I have to specify 2 serverfarms/rservers/probes?
    So, by not specifying the ports on the rserver, if a request is received on port 443 (or 5061), it is sent to the same respective port on the rserver?
    The same way is valid for the generic probe.  ACE module is able to probe both ports based on the class-map?
    Thanks and have a great day!!
    Giulio.
    probe tcp PROBE_GENERIC_TCP
      description This probe works for all TCP services by inheriting the VIP port.
      interval 15
      faildetect 2
      passdetect interval 15
      passdetect count 2
      open 2
    rserver host SERVER1_ACCESS
      ip address <1AC>
      inservice
    rserver host SERVER2_ACCESS
      ip address <2AC>
      inservice
    serverfarm host ACCESS-SFARM
      probe PROBE_GENERIC_TCP
      rserver SERVER1_ACCESS
        inservice
      rserver SERVER2_ACCESS
        inservice
    class-map match-any OCS_L4ACCESS
      2 match virtual-address x.x.x.176 tcp eq https
      2 match virtual-address x.x.x.176 tcp eq 5061
    policy-map type loadbalance first-match OCS_L4ACCESS
      class class-default
        sticky-serverfarm ACCESS_STICKY
    policy-map multi-match POLICY
    class OCS_L4ACCESS
    loadbalance vip inservice
    loadbalance policy OCS_L4ACCESS
    loadbalance vip icmp-reply active
    connection advanced-options OCS_VIPTIMEOUT
    nat dynamic XXX vlan 503

    Even if you use the 4710 appliance or expect the inheritance in the module software, it's worth considering if this is really what you want. If you keep multiple ports in the L3/L4 class-map you can't handle the services independently. You will have a common serverfarm for both https and 5061. If https service stops on one rserver, the ACE will place that rserver (and not that service) in out-of-operation state and it won't receive any 5061 traffic either. (You have the fail-on-all probe option but I wouldn't say it's a better choice. In that case, https traffic would be sent to the rserver even if https port is closed as long as there is at least one working service on it.) That's why I prefer a separate class-map and separate serverfarm for each service. (They can contain the same rservers, no need to duplicate.) BUT if the software supports probe port inheritance, you can benefit from it even in this scenario: serverfarm-443 and serverfarm-5061 can both use your PROBE_GENERIC_TCP.

  • Class-map in IOS XR

    Hi, anyone can explain the "sh class-map list type qos" in XR platforms ? is this command used to know how many types of class-maps configured in one router ?

    It is a useful command to help clean up unused class-maps:
    RP/0/RSP0/CPU0:A9K-BNG#show class-map list type qos
    Thu Sep 12 14:58:56.383 EDT
    1) ClassMap: class1    Type: qos
        Referenced by 3 Policymaps
    2) ClassMap: class3    Type: qos
        Referenced by 2 Policymaps
    in this examples the QOS class-maps class1 and class3 which have index 1 and 2 respectively are used by respectively 3 or 2 policy-maps. can't remove them.
    I could technically remove this class-map:
    20) ClassMap: v6    Type: qos
        Referenced by 0 Policymaps
    Not used at all.
    regards
    xander

  • Can anybodt tell me..what ITOB_SERIALNO_MODIFY_SINGLE this FM does do?

    Hi All,
    Can anybody tell me what,ITOB_SERIALNO_MODIFY_SINGLE this FM exatly does do?
    IF possible plz exaplin the parameters which need to pass to this...(if possible sample cod also)
    It's very urgent...
    Thnx in advance.

    Hi Sanjay,
    here is the documentation for the FM mentioned below
    ITOB_SERIALNO_MODIFY_SINGLE
    FU ITOB_SERIALNO_MODIFY_SINGLE
    Short text
    ITOB Buffer RFC: Change Individual Serial Number
    Functionality
    This RFC-capable function module enables you to change master data for an individual serial number without using a dialog.
    Notes
    General notes for the RFCs for processing individual technical objects (function group ITO3):
    The master data is communicated in an interface structure (based on view ITOB) that is generally used for technical objects.
    Each RFC returns the processed data in the structure E_OBJECT_REC to the the caller, independent of the action that is to be performed (create/change/read).
    An RFC for creating or changing master data generally receives this data in the structure E_OBJECT_REC. However, depending on the object to be processed, only part of the data is processed, namely:
    Create functional location: Processes data from structure ITOBAPI_CREATE_FL
    Change functional location: Processes data from structure ITOBAPI_MODIFY_FL
    Create equipment: Processes data from structure ITOBAPI_CREATE_EQ
    Change equipment: Processes data from structure ITOBAPI_MODIFY_EQ
    You specify whether an authorization check should be performed when executing the create or change transaction using the optional parameter I_AUTH_TCODE (default: without check).
    You specify whether the data should updated using the optional parameter I_POST_BUFFER (default: update data).
    You specify whether the (updated) data is written to the database per Commit using the optional parameter I_COMMIT_WORK (default: no Commit).
    In Customizing (Field Selection) for master data dialogs, entries defined as manadatory are generally not checked by the RFCs.
    Special notes on function module ITOB_SERIALNO_MODIFY_SINGLE:
    The parameter I_TRANSFER_MODE controls whether inheritance-relevant fields should be transferred to installed pieces of equipment.
    The system uses the structure I_OBJECT_REC_OLD to make 'Before Image' data available to the user. If the structure is not transferred, the 'Before Image' is read by the module.
    Please go through the documentation and hope that you will able to resolve how the FM works out.
    Thanks
    Venugopal
    Please reward for the ample info.

  • The class-default class map

    According to Cisco dumentation (http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/mpc.html)
    , the ASA is equipped with two default class-maps
    class-map inspection_default
    match default-inspection-traffic
    and
    class-map class-default
    match any
    The first makes perfect sense, but what is the class-default used for? Cisco says
    "This class map appears at the end of all Layer 3/4 policy maps and essentially tells the adaptive security appliance to not perform any actions on all other traffic. You can use the class-default class map if desired, rather than making your own
    match any class map. In fact, some features are only available for class-default."
    But I see stuff like this:
    policy-map MyPolicy
    class class-default
      inspect tfp MyFTPpolicy
    Obviously it is being used here to act on traffic! So I am confused.
    I also noticed that when you upgrade from 8.2 to 8.4, all default class-maps are removed from the configuration: you have to re-create everything (strange)

    Hello Collin,
    This is Mike. I dont think it is well documented. Basically it is just a class map (that does not appear on the configuration unless an action is specified) that will match all traffic passing through the ASA firewall. Some features like NSEL (Netflow) and Traffic shaping are only allowed to use this kind of class maps because they dont support any other match command.
    The one that you currently have (and God I hope its not applied)  will look for tftp traffic on every IP packet passing across the ASA.
    This specific type of policy you have there can only be applied on the interface (as it is not a layer 7 inspection policy) you can check if it is applied or not by running the show "run service-policy command"
    Mike

Maybe you are looking for