topic Re: SSH problem in Network Access Control

SSH problem

ashahnawaz — Wed, 12 Jul 2023 10:07:32 GMT

Hi.

i have added an ACL to allow certian IPs to the managment Vlan. Upon adding this ACL i can ssh to the device but get an access denied. upon removing the ACL works fine

here is the config- some sensitive details removed

interface Vlan200
description ***Management***
ip address 192.168.68.2 255.255.255.0
ip access-group ACL_MGMT_in in
!
ip default-gateway 192.168.68.1
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip ssh time-out 60
ip ssh logging events
ip ssh version 2
!
!
ip access-list extended ACL_MGMT_in
10 permit ip host 192.168.150.100 any
20 permit ip host 192.168.150.101 any
30 permit ip host 192.168.150.102 any
40 permit ip host 192.168.150.103 any
50 permit ip host 192.168.150.104 any
60 permit ip host 192.168.150.105 any
70 permit ip host 192.168.152.20 any
80 permit ip 192.168.68.0 0.0.0.255 any
90 deny ip any any
!
!

!
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
stopbits 1
line vty 0 4
exec-timeout 60 0
privilege level 15
transport input all
line vty 5 15
exec-timeout 60 0
privilege level 15
transport input all
!
!
!
!
!
end

Re: SSH problem

Dustin Anderson — Wed, 12 Jul 2023 13:10:30 GMT

Not sure on the exact issue, we apply the ACL to the VTY.

line vty 0 15
length 54
logging synchronous
exec-timeout 15
transport input ssh
access-class 10 in vrf-also

Re: SSH problem

Flavio Miranda — Wed, 12 Jul 2023 13:29:56 GMT

Hi @ashahnawaz

ACL applied to Interface vlan does not block traffic send to the device CPU like SSH (Management traffic). You need to apply the ACL on the line vty

line vty 0 4

access-class ACL_MGMT_in in

If the switch does not accept named ACL create a numbered ACL

ip access-list extended 100
10 permit ip host 192.168.150.100 any
20 permit ip host 192.168.150.101 any
30 permit ip host 192.168.150.102 any
40 permit ip host 192.168.150.103 any
50 permit ip host 192.168.150.104 any
60 permit ip host 192.168.150.105 any
70 permit ip host 192.168.152.20 any
80 permit ip 192.168.68.0 0.0.0.255 any
90 deny ip any any

line vty 0 4

access-class 100 in

Re: SSH problem

ashahnawaz — Wed, 12 Jul 2023 13:39:23 GMT

Hello thanks for the reply.

I forgot to mention this config is on the Core Switch on x.x.68.2. if i try to SSH to x.x.68.3 i get to the splash page however the password is not accepted( Access Denied). Removing ACL from the interface on the CORE allows me in.

Re: SSH problem

Flavio Miranda — Wed, 12 Jul 2023 14:04:30 GMT

Hi,

Which device is x.x.68.3 ? Are you using TACACS ?

Re: SSH problem

MHM Cisco World — Wed, 12 Jul 2023 15:25:50 GMT

Use

Ip tacacs source-interface vlan200

Re: SSH problem

ashahnawaz — Wed, 12 Jul 2023 15:28:15 GMT

Core is a 9500 on 68.2.

68.3 is a C9200L

we are using local Login

Re: SSH problem

MHM Cisco World — Wed, 12 Jul 2023 15:36:56 GMT

Do you conifg

Username xxxx password yyyy ?

Re: SSH problem

ashahnawaz — Wed, 12 Jul 2023 16:11:23 GMT

Her is the User config

version 17.6
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
service call-home
service unsupported-transceiver
platform punt-keepalive disable-kernel-core
!
hostname Core
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no logging console
enable secret 9 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
switch 1 provision c9500-16x
switch 2 provision c9500-16x
!
!
!
!
stackwise-virtual
domain 1
!

!
login on-success log
!
!

vtp domain Test.Local
vtp mode transparent
udld aggressive

!
license boot level network-advantage addon dna-advantage
!
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 100-106,200,998-999 priority 4096
memory free low-watermark processor 133114
!
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable recovery cause port-mode-failure
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause loopback
errdisable recovery interval 30
username Redacted privilege 15 secret 9 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
redundancy
mode sso
!
!
!