Re: Restricting telnet/ssh access to loopback address

boxhallbr · ‎09-21-2009

Hi,

I've been requested to restrict telnet/ssh access to the loopback address only.

I've been attempting to do this using access lists however the access lists either block access to all interfaces or allows access to no interfaces.

Any and all help in this is appreciated.

Below are the configs I have been trying. This is for telnet only.

! loopback address I want to restrict access to

interface Loopback0

ip address 10.20.254.1 255.255.255.255

! interface not to be able to telnet to

interface FastEthernet0/0

ip address 10.20.10.1 255.255.255.0

!access-list 101 in is applied to line vty 0 4

line vty 0 4

access-class 101 in

!Below gets to both interfaces

access-list 101 perm tcp any any eq telnet

access-list 101 deny tcp any any

sh access-list 101

Extended IP access list 101

10 permit tcp any any eq telnet (4 matches)

20 deny tcp any any

!The below stopped both interfaces being accessed.

access-list 101 perm tcp any host 10.20.254.1 (loopback address) eq telnet

access-list 101 deny tcp any any

sh access-l 101

Extended IP access list 101

10 permit tcp any host 10.20.254.1 eq telnet

20 deny tcp any any (2 matches)

Joe Clarke · ‎09-21-2009

You can do this with control-plane policing (CoPP). For example:

access-list 101 deny tcp any host 10.20.254.1 eq telnet

access-list 101 permit tcp any any eq telnet

access-list 101 deny ip any any

class-map match-all matchtelnet

match access-group 101

policy-map filtertelnet

class matchtelnet

drop

control-plane

service-policy input filtertelnet

Note: the ACL above looks like the opposite of what you want, but really you're matching traffic you do NOT want, then dropping it in the policy-map.

The net effect will be that all TCP traffic is allowed to this device OTHER than tcp/23 traffic unless the destination address is 10.20.254.1.

boxhallbr · ‎09-21-2009

Fantastic. I'm still trying to get my head around it but it works. Need to look at the backward logic.

Thanks for help.

boxhallbr · ‎10-13-2009

Hi,

You supplied the above answer last month and, when I tested it on a 1841 router it worked fine.

My problem is when I tried to apply it to a 3750 layer 3 switch. The drop command on the policy-map didn't take nor did the service-policy input command on the control-plane (output below).

Any and all help will be appreciated.

router(config-cmap)#policy-map filtertelnet

router(config-pmap)#class matchtelnet

router(config-pmap-c)#drop

^

% Invalid input detected at '^' marker.

router(config-pmap-c)#

router(config-pmap-c)#control-plane

router(config-cp)#service-policy input filtertelnet

QoS: policymap is supported on physical, VLAN, and ES interfaces only

Service Policy attachment failed

error: failed to install policy map filtertelnet

router(config-cp)#

Joe Clarke · ‎10-13-2009

Control-plane policing is not supported on the 3750 platform. This solution will not work there.

boxhallbr · ‎10-13-2009

Thanks.

Is there any other way of restricting remote access to single interfaces on the 3750 switches?

Joe Clarke · ‎10-13-2009

Interface ACLs are the only other way to go. Create an ACL that only permits telnet to the desired interface, then apply it to all IP interfaces on the switch.

boxhallbr · ‎10-20-2009

Joe,

Tested the access list on a test box and it work fine. Before I start applying it on all devices thought I would get you to have a quick look.

Does the below look correct?

Want to connect to IP address 10.1.112.5.

ip access-list extended RemoteAccess

permit tcp any host 10.1.112.5 eq telnet

deny tcp any any eq telnet

permit ip any any

Then apply the access list

interface Vlan210

ip address 10.2.112.5 255.255.252.0

ip access-group RemoteAccess in

!

interface Vlan410

ip address 10.1.112.5 255.255.252.0

ip access-group RemoteAccess in

!

Thanks again for your help.

Joe Clarke · ‎10-20-2009

This looks okay to me.