07-24-2019 01:18 PM
So I can't seem to figure out how to do this.
On an perimeter router I just want to block any incoming SSH traffic to the router except from three internal subnets. Then i also want to authenticate with a local account and not leverage aaa. so the result is not one can directly externally connect to the router via SSH but i can still SSH into our router internally using local accounts.
it seems that i can't selectively block SSH traffic without aaa and I can't login with local account with aaa.
This seems to me that this should be very simple to configure.
Current configuration : 5161 bytes ! ! Last configuration change at 21:52:47 UTC Wed Jul 24 2019 by <redact> ! version 15.5 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no platform punt-keepalive disable-kernel-core ! hostname ISR4431 ! boot-start-marker boot system bootflash:/isr4400-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 5 <redact> ! aaa new-model ! ! ! ! ! ! ! ! aaa session-id common ! ip vrf Internet rd 2:2 ! ip vrf MPLS rd 1:1 ! ! ! ip domain name <redact> ! ! ! ! ! ! ! ! ! subscriber templating multilink bundle-name authenticated ! ! ! ! license udi pid ISR4431/K9 sn <redact> license boot level securityk9 ! spanning-tree extend system-id ! username <redact> access-class 15 secret 8 <redact> username <redact> access-class 15 secret 8 <redact> ! redundancy mode none ! ! ! ! ! ! ! ! interface GigabitEthernet0/0/0 description LAN-VRF-MPLS ip vrf forwarding MPLS ip address 10.92.1.254 255.255.255.0 negotiation auto ! interface GigabitEthernet0/0/1 description LAN-VRF-Internet ip vrf forwarding Internet ip address <redact> negotiation auto ! interface GigabitEthernet0/0/2 description WAN-VRF-MPLS ip vrf forwarding MPLS ip address <redact> <redact> negotiation auto ! interface GigabitEthernet0/0/3 description WAN-VRF-Internet ip vrf forwarding Internet ip address <redact> negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address <redact> negotiation auto ! ip forward-protocol nd no ip http server no ip http secure-server ip tftp source-interface GigabitEthernet0/0/0 ip ssh version 2 ! ! ip access-list standard Limit_SSH permit 10.92.1.0 0.0.0.255 permit 10.91.3.0 0.0.0.255 permit 192.168.1.0 0.0.0.255 deny any ! access-list 1 permit 10.92.1.0 0.0.0.255 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 101 deny udp any eq 22 any access-list 101 deny tcp any eq 22 any access-list 101 permit ip any any ! ! ! ! ! control-plane ! ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class Limit_SSH out transport input ssh transport output ssh line vty 5 15 access-class Limit_SSH in access-class Limit_SSH out transport input ssh transport output ssh !
Solved! Go to Solution.
07-25-2019 09:42 AM
figured it out....
This router is using vrf's and when you are using vrf's you need to add vrf-also to the vty lines or else it will not route correctly.
access-class Limit_SSH in vrf-also
07-24-2019 01:42 PM - last edited on 01-22-2023 10:18 PM by Translator
Hello,
if you don't want to use aaa, you need to configure 'login local' on the lines and define local user acounts:
username admin privilege 15 password 0 cisco
line vty 0 4
access-class Limit_SSH out
login local
transport input ssh
transport output ssh
line vty 5 15
access-class Limit_SSH in
access-class Limit_SSH out
login local
transport input ssh
transport output ssh
07-24-2019 02:18 PM
Hi there,
@Georg Pauwen answer is correct, but if you did want to use AAA, then you simply need to create a AAA method which uses the local user store only:
!
username foo priv 15 secret bar
!
aaa authentication login LOCAL_ONLY local
!
line vty 0 4
login authentication LOCAL_ONLY
access-class Limit_SSH in
!
cheers,
Seb.
07-25-2019 08:26 AM - edited 07-25-2019 08:35 AM
Weird so i removed aaa and i can't ssh from 192.168.1.0/24 i get a connection refused
wtf am i missing, the hops from endpoint to that router are 192.168.1.148 > 192.168.1.100 another router > 10.92.1.254 the ISR
Do i need to remove the SSH in policy or something?
07-25-2019 09:00 AM - last edited on 01-22-2023 10:21 PM by Translator
wow this is infuriating...
i have made the most basic vty config i can think of. and the second i add a
access-list
via the
access-class
command i get a connection refused
line con 0 login local stopbits 1 line aux 0 stopbits 1 line vty 0 4 login local transport input ssh transport output none line vty 5 15 login local transport input ssh transport output none
here is the
access-list
which should have a implied deny all at the end.
access-list 1 permit 10.92.1.0 0.0.0.255 access-list 1 permit 192.168.1.0 0.0.0.255
and i am adding the following line to the vty lines when it fails
access-class 1 in
07-25-2019 09:16 AM
also forgot to mention i tried both listed methods and it did not work.
07-25-2019 09:42 AM
figured it out....
This router is using vrf's and when you are using vrf's you need to add vrf-also to the vty lines or else it will not route correctly.
access-class Limit_SSH in vrf-also
07-25-2019 09:53 AM
Thanks for the update. Glad to know that you found the solution to your problem. We should have noticed the vrf use.
HTH
Rick
07-25-2019 09:47 AM - last edited on 01-22-2023 10:23 PM by Translator
The original post had
access-class
applied out but not in for vty 0 4 and that was a problem that would have allowed incoming SSH. But I am not clear why the more recent config which uses a number standard
access list
and applies it "in" is not working. Are you sure that your SSH request has its source address as either 10.92.1.0/24 or 192.168.1.0/24?
Just to be sure that I am understanding the situation correctly, in the current config without configuring
access-class 1
in then SSH is successful. But when you configure
access-class 1
in on the vty then SSH fails?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide