cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2353
Views
20
Helpful
7
Replies

Limit ssh and http access IPv4 and IPv6

ciscoKuzia
Level 1
Level 1

I have a 2901 dual stack router. I need to limit SSH and HTTP access to IPv4 and IPv6 ranges. At the moment, access is limited to list of IPv4 addresses but IPv6 is wide opened and I cant't find anything in the docs.

Any help would be appreciated!

 

 

access-list 10 permit 123.12.23.12
access-list 10 permit 192.168.1.0 0.0.0.255
!
! ipv6 access-list ipv6_trusted_subnets permit ipv6 2001:123:321::/48 any !
! line vty 0 4 access-class 10 in exec-timeout 60 0 login local transport input ssh

 

 

 

2 Accepted Solutions

Accepted Solutions

Amine ZAKARIA
Spotlight
Spotlight

Hello @ciscoKuzia,

 

Under line vty add

ipv6 access-class ipv6_trusted_subnets in

 

----------------------

Don't forget to rate helpful posts!

 

View solution in original post

Hi @Amine ZAKARIA and @ciscoKuzia ,

"With IPv6 support added in Cisco IOS Release 12.2(2)T, the ip http server command simultaneously enables and disables both IP and IPv6 access to the HTTP server. However, an access list configured with the ip http access-class command will only be applied to IPv4 traffic. IPv6 traffic filtering is not supported."

More info at: Cisco IOS HTTP Services Command Reference.

 

Hope this helps !!!

View solution in original post

7 Replies 7

Amine ZAKARIA
Spotlight
Spotlight

Hello @ciscoKuzia,

 

Under line vty add

ipv6 access-class ipv6_trusted_subnets in

 

----------------------

Don't forget to rate helpful posts!

 

That worked! Thank you @Amine ZAKARIA !

 

Any idea on how to do the same thing but for http (https)?

 

(config)#ipv6 htt?
% Unrecognized command

I don't believe there is a specific command to turn off http(s) services only for IPv6. I think the command "ip http" and "ip http secure-server" apply for both IPv4 and 6.

 

Unfortunately, I can still access https via IPv6 address while IPv4 address is accessible only from the trusted range as well as I'm not able to add IPv6 to a standard access-list.

 

(config)#access-list 10 permit 2001:XXXX:D:FFFF::1470                         
                                     ^
% Invalid input detected at '^' marker.
-----------------------------------------------------
(config)#ip http access-class ?
  <1-99>  Access list number

-----------------------------------------------------

(config)#ipv6 http?
% Unrecognized command

 

Hello @ciscoKuzia ,

So far not sure if it's possible to filter ipv6 with access-class for http/s, but instead you can apply the ipv6 acl on the interface directly.

ipv6 access-list ACLv6 
deny tcp host 2001:123:321::2 host 2001:123:321::1 eq 80
deny tcp host 2001:123:321::2 host 2001:123:321::1 eq 443
permit ipv6 any any

 

And under the interface apply the ACLv6:

ipv6 traffic-filter ACLv6 in

 

Regards!
--------------------------------------------

 

Don't forget to mark as resolved if it solve your issue

 

Hi @Amine ZAKARIA and @ciscoKuzia ,

"With IPv6 support added in Cisco IOS Release 12.2(2)T, the ip http server command simultaneously enables and disables both IP and IPv6 access to the HTTP server. However, an access list configured with the ip http access-class command will only be applied to IPv4 traffic. IPv6 traffic filtering is not supported."

More info at: Cisco IOS HTTP Services Command Reference.

 

Hope this helps !!!

Thanks @Marcelo Morais ,

 

That's what I figured. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: