Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1359
Views
0
Helpful
11
Replies

ASR1000 remote SSH with object-group network

sebastien3
Level 4
Level 4

‎05-02-2021 04:42 AM

Hello,

 

I am using the configuration below on several 8XX (881,887,891F,892...) CPEs, 3750 and 3750X switches without any problem.

This configuration does not work on ASR1001,1002,1004 etc...

 

object-group network Admin
 host A.A.A.A
 host B.B.B.B
!
ip ssh maxstartups 4
ip ssh time-out 60
ip ssh port 2222 rotary 1
ip ssh version 2
!
ip access-list extended SSH-ADMIN
 permit tcp object-group Admin any eq 2222
 deny   ip any any
!
line vty 0 4
 access-class SSH-ADMIN in
 exec-timeout 5 0
 login local
 rotary 1
 length 0
 transport input ssh
 transport output none
!

Cannot start an SSH connection on the ASRs for management with this configuration...

To establish an SSH connection on the ASRs I have to modify the configuration like this :

 

ip access-list extended SSH-ADMIN
 permit tcp any any eq 2222
!

Do you have an idea of ​​the problem ?

Thank you

Labels:
0 Helpful
11 Replies 11

balaji.bandi
Hall of Fame
Hall of Fame

‎05-02-2021 02:05 PM

Looks like IOS  and IOS Xe changed the syntax.

 

here my IOS XE config works for me.

 

ip access-list extended MY-SSH
 permit tcp 192.168.1.10 255.255.255.255 any eq XXXX (is the port#0
 deny   ip any any

line vty 0 4
 access-class MY-SSH in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

sebastien3
Level 4
Level 4
In response to balaji.bandi

‎05-02-2021 10:49 PM

It does not work ... When I enter the ip 192.168.1.10 the CLI rewrites ip access list :

 

ASR1002(config)#ip access-list extended SSH
ASR1002(config-ext-nacl)#permit tcp 192.168.1.10 255.255.255.255 any eq 2222
ASR1002(config-ext-nacl)#deny ip any any
ASR1002(config-ext-nacl)#^Z
ASR1002#sh run
!
ip access-list extended SSH
 permit tcp any any eq 2222
 deny   ip any any
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to sebastien3

‎05-03-2021 01:17 AM

Can you post show version

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

sebastien3
Level 4
Level 4
In response to balaji.bandi

‎05-04-2021 10:34 PM

The router as no configuration, it's new...

permit tcp 192.168.1.10 255.255.255.255 any eq 2222 => BECOME => permit tcp any any eq 2222
ip ssh maxstartups 4
ip ssh time-out 60
ip ssh port 2222 rotary 1
ip ssh version 2
!
ip access-list extended SSH-ADMIN
 permit tcp any any eq 2222
 deny   ip any any
!
line vty 0 4
 access-class SSH-ADMIN in
 exec-timeout 5 0
 login local
 rotary 1
 length 0
 transport input ssh
 transport output none
!
0 Helpful

Georg Pauwen
VIP
VIP
In response to sebastien3

‎05-05-2021 12:20 AM

Hello,

 

I couldn't really find any coherent information of why this doesn't work on the ASR. What if you try a nested object ?

 

object-group network Nested_Admin
host A.A.A.A
host B.B.B.B
!
object-group network Admin
group-object Nested_Admin
!
ip access-list extended SSH-ADMIN
permit tcp object-group Admin any eq 2222
deny ip any any
!
line vty 0 4
access-class SSH-ADMIN in

0 Helpful

sebastien3
Level 4
Level 4
In response to Georg Pauwen

‎05-05-2021 04:43 AM 

Cisco IOS XE Software, Version 03.16.10.S - Extended Support Release
Cisco IOS Software, ASR1000 Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.5(3)S10, RELEASE SOFTWARE (fc3)

object-group network Nested_Admin didn't work

 

root@laptop:~# ssh -p 2222 -l admin 192.168.168.254
ssh: connect to host 192.168.168.254 port 2222: Connection refused

 

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to sebastien3

‎05-05-2021 03:54 AM

we have not requested config ? i have requeted what show version ( see any bugs we know)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

mashrafi
Cisco Employee
Cisco Employee

‎05-07-2021 06:08 AM

Are you using vrf in your configs?

can you try this and check ?

access-class SSH-ADMIN in vrf-also

0 Helpful

mashrafi
Cisco Employee
Cisco Employee
In response to mashrafi

‎05-07-2021 06:14 AM

Also, we have a restriction, I need to check if we can use object-group

 

Restrictions for Controlling Access to a Virtual Terminal Line

When you apply an access list to a vty (by using the access-class command), the access list must be a numbered access list, not a named access list.

0 Helpful

sebastien3
Level 4
Level 4

‎08-02-2021 06:22 AM

Hello,

I still have my problem that I can't solve...

@mashrafi can you explain to me ?

0 Helpful

paul driver
VIP
VIP

‎08-02-2021 03:01 PM

Hello

As you are using rotary, when you iniciate a ssh session on any vty 0-4 lines try stating the rotary number not the port

ssh -p 2001 -l admin 192.168.168.254

or
ssh -p 3001 -l admin 192.168.168.254


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card