topic Re: Limit ssh and http access IPv4 and IPv6 in Network Access Control

Limit ssh and http access IPv4 and IPv6

ciscoKuzia — Sun, 13 Feb 2022 22:01:28 GMT

I have a 2901 dual stack router. I need to limit SSH and HTTP access to IPv4 and IPv6 ranges. At the moment, access is limited to list of IPv4 addresses but IPv6 is wide opened and I cant't find anything in the docs.

Any help would be appreciated!

access-list 10 permit 123.12.23.12
access-list 10 permit 192.168.1.0 0.0.0.255
!
!
ipv6 access-list ipv6_trusted_subnets
 permit ipv6 2001:123:321::/48 any
!
!
line vty 0 4
 access-class 10 in
 exec-timeout 60 0
 login local
 transport input ssh

Re: Limit ssh and http access IPv4 and IPv6

Amine ZAKARIA — Sun, 13 Feb 2022 22:16:51 GMT

Hello @ciscoKuzia,

Under line vty add

ipv6 access-class ipv6_trusted_subnets in

----------------------

Don't forget to rate helpful posts!

Re: Limit ssh and http access IPv4 and IPv6

ciscoKuzia — Sun, 13 Feb 2022 23:41:38 GMT

That worked! Thank you @Amine ZAKARIA !

Any idea on how to do the same thing but for http (https)?

(config)#ipv6 htt?
% Unrecognized command

Re: Limit ssh and http access IPv4 and IPv6

Aref Alsouqi — Mon, 14 Feb 2022 01:47:35 GMT

I don't believe there is a specific command to turn off http(s) services only for IPv6. I think the command "ip http" and "ip http secure-server" apply for both IPv4 and 6.

Re: Limit ssh and http access IPv4 and IPv6

ciscoKuzia — Mon, 14 Feb 2022 02:35:55 GMT

Unfortunately, I can still access https via IPv6 address while IPv4 address is accessible only from the trusted range as well as I'm not able to add IPv6 to a standard access-list.

(config)#access-list 10 permit 2001:XXXX:D:FFFF::1470                         
                                     ^
% Invalid input detected at '^' marker.
-----------------------------------------------------
(config)#ip http access-class ?
  <1-99>  Access list number

-----------------------------------------------------

(config)#ipv6 http?
% Unrecognized command

Re: Limit ssh and http access IPv4 and IPv6

Amine ZAKARIA — Mon, 14 Feb 2022 08:23:04 GMT

Hello @ciscoKuzia ,

So far not sure if it's possible to filter ipv6 with access-class for http/s, but instead you can apply the ipv6 acl on the interface directly.

ipv6 access-list ACLv6 
deny tcp host 2001:123:321::2 host 2001:123:321::1 eq 80
deny tcp host 2001:123:321::2 host 2001:123:321::1 eq 443
permit ipv6 any any

And under the interface apply the ACLv6:

ipv6 traffic-filter ACLv6 in

Regards!
--------------------------------------------

Don't forget to mark as resolved if it solve your issue

Re: Limit ssh and http access IPv4 and IPv6

Marcelo Morais — Mon, 14 Feb 2022 11:25:47 GMT

Hi @Amine ZAKARIA and @ciscoKuzia ,

"With IPv6 support added in Cisco IOS Release 12.2(2)T, the ip http server command simultaneously enables and disables both IP and IPv6 access to the HTTP server. However, an access list configured with the ip http access-class command will only be applied to IPv4 traffic. IPv6 traffic filtering is not supported."

More info at: Cisco IOS HTTP Services Command Reference.

Hope this helps !!!

Re: Limit ssh and http access IPv4 and IPv6

ciscoKuzia — Mon, 14 Feb 2022 18:07:58 GMT

Thanks @Marcelo Morais ,

That's what I figured.