SSH access to user context on ACE

kalugotla1 · ‎06-10-2011

unable to ssh into virtual context on ACE, but able to SSH into Admin context .

ssh key rsa 1024 force command ,(invalid command ) on ACE.Please help me on this

pablo.nxh · ‎06-11-2011

Hello,

ACE management access is allowed using the modular policy framework instead of ssh key rsa [key size] command.

If you want to enable SSH access per context context you need to create a new management class-map, match it on a policy and then apply it under the interface of that context.

i.e

ACE/Context(config)# class-map type management match-any MGMT

ACE/Context(config-cmap-mgmt)# 2 match protocol icmp any

ACE/Context(config-cmap-mgmt)# 3 match protocol ssh any

ACE/Context(config-cmap-mgmt)# exit

ACE/Context(config)# policy-map type management first-match MGMT_POLICY

ACE/Context(config-pmap-mgmt)# class MGMT

ACE/Context(config-pmap-mgmt-c)# permit

ACE/Context(config-pmap-mgmt-c)# exit

ACE/Context(config-pmap-mgmt)# exit

ACE/Context(config)# interface vlan 10

ACE/Context(config-if)# ip address 192.168.10.1 255.255.255.240

ACE/Context(config-if)# service-policy input MGMT_POLICY

HTH

__ __

Pablo

kalugotla1 · ‎06-11-2011

This is the config I have on the context

class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any`

policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit

interface vlan 201
ip address 161.247.133.88 255.255.255.0
peer ip address 161.247.133.89 255.255.255.0
mtu 1500
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input POLICY
no shutdown

not sure If i need to add anything else to get the SSH access working on the context.

pablo.nxh · ‎06-13-2011

Hi There

Can you share the show run from your Admin context and the arp table if possible?

Tnx

__ __

Pablo

kalugotla1 · ‎06-15-2011

logging enable
logging buffered 7
logging host 10.129.40.123 udp/514

resource-class RC1
limit-resource all minimum 10.00 maximum unlimited
limit-resource sticky minimum 10.00 maximum unlimited

boot system image:c4710ace-mz.A3_2_5.bin

login timeout 10

peer hostname s0adcdmzace02
hostname s0adcdmzace01
interface gigabitEthernet 1/1
switchport trunk allowed vlan 201,1003
no shutdown
interface gigabitEthernet 1/2
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
no shutdown

clock timezone est -5 0
clock summer-time standard EDT
deadtime 15
ntp server 161.247.133.30 prefer

ntp peer 161.247.133.89

aaa authentication login error-enable

access-list ALL line 8 extended permit ip any any
access-list ALL line 10 extended permit icmp any any
access-list ALL line 11 extended permit tcp any any

ip domain-lookup
ip domain-name aholdusa.com
ip name-server 10.129.12.53
ip name-server 10.129.12.51

class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit

interface vlan 201
ip address 161.247.133.145 255.255.255.0
peer ip address 161.247.133.146 255.255.255.0
mtu 1500
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown

ft interface vlan 1003
ip address 1.1.1.1 255.255.255.252
peer ip address 1.1.1.2 255.255.255.252
no shutdown

ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 1003
ft group 1
peer 1
priority 200
associate-context Admin
inservice

ip route 0.0.0.0 0.0.0.0 161.247.133.30
ip route 10.0.0.0 255.0.0.0 161.247.133.40
ip route 161.247.128.0 255.255.255.0 161.247.133.40
ip route 161.247.134.0 255.255.255.0 161.247.133.40
ip route 161.247.135.0 255.255.255.0 161.247.133.40
ip route 161.247.7.0 255.255.255.0 161.247.133.40
ip route 161.247.136.0 255.255.255.0 161.247.133.40

context production
allocate-interface vlan 201
member RC1

ft group 11
peer 1
priority 200
associate-context production
inservice

s0adcdmzace01/Admin# sh arp

Context Admin
================================================================================
IP ADDRESS      MAC-ADDRESS        Interface Type      Encap NextArp(s) Status
================================================================================
161.247.133.30 00.08.a3.db.89.e5 vlan201   GATEWAY    66     226 sec      up
161.247.133.40 00.00.5e.00.01.67 vlan201   GATEWAY    67     240 sec      up
161.247.133.44 00.00.5e.00.01.67 vlan201   LEARNED    73     12673 sec    up
161.247.133.89 00.12.43.dc.6f.02 vlan201   LEARNED    68     10482 sec    up
161.247.133.145 00.1e.68.58.10.0b vlan201   INTERFACE LOCAL     _         up
161.247.133.146 00.1e.68.58.10.11 vlan201   LEARNED    69     10674 sec    up
161.247.133.177 00.0d.60.51.f2.06 vlan201   LEARNED    70     11709 sec    up
1.1.1.1         00.1e.68.58.10.0b vlan1003 INTERFACE LOCAL     _         up
1.1.1.2         00.1e.68.58.10.11 vlan1003 LEARNED    56     8170 sec     up
================================================================================
Total arp entries 9

pablo.nxh · ‎06-15-2011

Hi,

The config on the Admin context looks OK, I thought it may be an issue with interface or resources allocation but that looks fine.

Do you happen to have a default route on context "production"? If not wrong it would be the same default route admin context is using.

ip route 0.0.0.0 0.0.0.0 161.247.133.30

Are you able to ping 161.247.133.88 from an upstream device sitting on VLAN 201?

Regards

__ __

Pablo

kalugotla1 · ‎06-15-2011

default route is exactly the same in my context as that of Admin.

Ping is blocked ,so I can't ping .88 or .145 (Admin context).

Not sure if I am missing any thing to get ssh access working on my context.Please help me