05-02-2021 04:42 AM
Hello,
I am using the configuration below on several 8XX (881,887,891F,892...) CPEs, 3750 and 3750X switches without any problem.
This configuration does not work on ASR1001,1002,1004 etc...
object-group network Admin host A.A.A.A host B.B.B.B ! ip ssh maxstartups 4 ip ssh time-out 60 ip ssh port 2222 rotary 1 ip ssh version 2 ! ip access-list extended SSH-ADMIN permit tcp object-group Admin any eq 2222 deny ip any any ! line vty 0 4 access-class SSH-ADMIN in exec-timeout 5 0 login local rotary 1 length 0 transport input ssh transport output none !
Cannot start an SSH connection on the ASRs for management with this configuration...
To establish an SSH connection on the ASRs I have to modify the configuration like this :
ip access-list extended SSH-ADMIN permit tcp any any eq 2222 !
Do you have an idea of the problem ?
Thank you
05-02-2021 02:05 PM
Looks like IOS and IOS Xe changed the syntax.
here my IOS XE config works for me.
ip access-list extended MY-SSH permit tcp 192.168.1.10 255.255.255.255 any eq XXXX (is the port#0 deny ip any any line vty 0 4 access-class MY-SSH in
05-02-2021 10:49 PM
It does not work ... When I enter the ip 192.168.1.10 the CLI rewrites ip access list :
ASR1002(config)#ip access-list extended SSH ASR1002(config-ext-nacl)#permit tcp 192.168.1.10 255.255.255.255 any eq 2222 ASR1002(config-ext-nacl)#deny ip any any ASR1002(config-ext-nacl)#^Z ASR1002#sh run ! ip access-list extended SSH permit tcp any any eq 2222 deny ip any any
05-03-2021 01:17 AM
Can you post show version
05-04-2021 10:34 PM
The router as no configuration, it's new...
permit tcp 192.168.1.10 255.255.255.255 any eq 2222 => BECOME => permit tcp any any eq 2222
ip ssh maxstartups 4 ip ssh time-out 60 ip ssh port 2222 rotary 1 ip ssh version 2 ! ip access-list extended SSH-ADMIN permit tcp any any eq 2222 deny ip any any ! line vty 0 4 access-class SSH-ADMIN in exec-timeout 5 0 login local rotary 1 length 0 transport input ssh transport output none !
05-05-2021 12:20 AM
Hello,
I couldn't really find any coherent information of why this doesn't work on the ASR. What if you try a nested object ?
object-group network Nested_Admin
host A.A.A.A
host B.B.B.B
!
object-group network Admin
group-object Nested_Admin
!
ip access-list extended SSH-ADMIN
permit tcp object-group Admin any eq 2222
deny ip any any
!
line vty 0 4
access-class SSH-ADMIN in
05-05-2021 04:43 AM
Cisco IOS XE Software, Version 03.16.10.S - Extended Support Release Cisco IOS Software, ASR1000 Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.5(3)S10, RELEASE SOFTWARE (fc3)
object-group network Nested_Admin didn't work
root@laptop:~# ssh -p 2222 -l admin 192.168.168.254
ssh: connect to host 192.168.168.254 port 2222: Connection refused
05-05-2021 03:54 AM
we have not requested config ? i have requeted what show version ( see any bugs we know)
05-07-2021 06:08 AM
Are you using vrf in your configs?
can you try this and check ?
access-class SSH-ADMIN in vrf-also
05-07-2021 06:14 AM
Also, we have a restriction, I need to check if we can use object-group
When you apply an access list to a vty (by using the access-class command), the access list must be a numbered access list, not a named access list.
08-02-2021 06:22 AM
08-02-2021 03:01 PM
Hello
As you are using rotary, when you iniciate a ssh session on any vty 0-4 lines try stating the rotary number not the port
ssh -p 2001 -l admin 192.168.168.254
or
ssh -p 3001 -l admin 192.168.168.254
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide