Blocking telnet and ssh from the Internet - CSS11000

lmayercin · ‎04-03-2003

We have CSS11800 switches in a remote data center, and needed to have telnet and ssh access blocked from the Internet, but still allow it from the management port. It's a simple access-list thing, but maybe it'll save time for the next person.

acl enable

acl xx

clause 10 deny tcp any destination any eq 22

clause 11 deny tcp any destination any eq 23

( insert additional clauses for other protocols you wish to block (icmp, snmp, etc. ) )

clause 99 permit any any destination any

apply circuit-vlanyy (where yy is the internet-facing circuit)

That should do it. You type "show acl xx" to see the hits on the individual clauses. This was done with 3.10 and 4.xx firmware. Your mileage may vary. Sterling Commerce is not responsible for these comments. And so on. :-)

Luke

Gilles Dufour · ‎04-04-2003

thanks for this information.

lmayercin · ‎04-07-2003

After some contemplation, I believe the destination address "any" may be too broad for this work. If you're just trying to block telnet/ssh to this particular switch, it should look like this (if the IP address of this switch is 111.222.111.22, and is sitting on the VLAN facing the Internet):

clause 10 deny tcp any destination 111.222.111.22 eq telnet log

clause 11 deny tcp any destination 111.222.111.22 eq 22 log

clause 99 permit any any destination any

apply circuit-(VLAN1)

It was thought that if devices on the same VLAN or devices behind the CSS needed to be accessed via telnet/ssh, this access list may block them. This revised ACL just blocks telnet/ssh to the switch itself. Again, tested with 3.10 and 4.xx firmware.

Luke