07-24-2019 01:18 PM
So I can't seem to figure out how to do this.
On an perimeter router I just want to block any incoming SSH traffic to the router except from three internal subnets. Then i also want to authenticate with a local account and not leverage aaa. so the result is not one can directly externally connect to the router via SSH but i can still SSH into our router internally using local accounts.
it seems that i can't selectively block SSH traffic without aaa and I can't login with local account with aaa.
This seems to me that this should be very simple to configure.
Current configuration : 5161 bytes ! ! Last configuration change at 21:52:47 UTC Wed Jul 24 2019 by <redact> ! version 15.5 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no platform punt-keepalive disable-kernel-core ! hostname ISR4431 ! boot-start-marker boot system bootflash:/isr4400-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 5 <redact> ! aaa new-model ! ! ! ! ! ! ! ! aaa session-id common ! ip vrf Internet rd 2:2 ! ip vrf MPLS rd 1:1 ! ! ! ip domain name <redact> ! ! ! ! ! ! ! ! ! subscriber templating multilink bundle-name authenticated ! ! ! ! license udi pid ISR4431/K9 sn <redact> license boot level securityk9 ! spanning-tree extend system-id ! username <redact> access-class 15 secret 8 <redact> username <redact> access-class 15 secret 8 <redact> ! redundancy mode none ! ! ! ! ! ! ! ! interface GigabitEthernet0/0/0 description LAN-VRF-MPLS ip vrf forwarding MPLS ip address 10.92.1.254 255.255.255.0 negotiation auto ! interface GigabitEthernet0/0/1 description LAN-VRF-Internet ip vrf forwarding Internet ip address <redact> negotiation auto ! interface GigabitEthernet0/0/2 description WAN-VRF-MPLS ip vrf forwarding MPLS ip address <redact> <redact> negotiation auto ! interface GigabitEthernet0/0/3 description WAN-VRF-Internet ip vrf forwarding Internet ip address <redact> negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address <redact> negotiation auto ! ip forward-protocol nd no ip http server no ip http secure-server ip tftp source-interface GigabitEthernet0/0/0 ip ssh version 2 ! ! ip access-list standard Limit_SSH permit 10.92.1.0 0.0.0.255 permit 10.91.3.0 0.0.0.255 permit 192.168.1.0 0.0.0.255 deny any ! access-list 1 permit 10.92.1.0 0.0.0.255 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 101 deny udp any eq 22 any access-list 101 deny tcp any eq 22 any access-list 101 permit ip any any ! ! ! ! ! control-plane ! ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class Limit_SSH out transport input ssh transport output ssh line vty 5 15 access-class Limit_SSH in access-class Limit_SSH out transport input ssh transport output ssh !
Solved! Go to Solution.
07-25-2019 09:42 AM
figured it out....
This router is using vrf's and when you are using vrf's you need to add vrf-also to the vty lines or else it will not route correctly.
access-class Limit_SSH in vrf-also
07-24-2019 01:42 PM - last edited on 01-22-2023 10:18 PM by Translator
Hello,
if you don't want to use aaa, you need to configure 'login local' on the lines and define local user acounts:
username admin privilege 15 password 0 cisco
line vty 0 4
access-class Limit_SSH out
login local
transport input ssh
transport output ssh
line vty 5 15
access-class Limit_SSH in
access-class Limit_SSH out
login local
transport input ssh
transport output ssh
07-24-2019 02:18 PM
Hi there,
@Georg Pauwen answer is correct, but if you did want to use AAA, then you simply need to create a AAA method which uses the local user store only:
!
username foo priv 15 secret bar
!
aaa authentication login LOCAL_ONLY local
!
line vty 0 4
login authentication LOCAL_ONLY
access-class Limit_SSH in
!
cheers,
Seb.
07-25-2019 08:26 AM - edited 07-25-2019 08:35 AM
Weird so i removed aaa and i can't ssh from 192.168.1.0/24 i get a connection refused
wtf am i missing, the hops from endpoint to that router are 192.168.1.148 > 192.168.1.100 another router > 10.92.1.254 the ISR
Do i need to remove the SSH in policy or something?
07-25-2019 09:00 AM - last edited on 01-22-2023 10:21 PM by Translator
wow this is infuriating...
i have made the most basic vty config i can think of. and the second i add a
access-list
via the
access-class
command i get a connection refused
line con 0 login local stopbits 1 line aux 0 stopbits 1 line vty 0 4 login local transport input ssh transport output none line vty 5 15 login local transport input ssh transport output none
here is the
access-list
which should have a implied deny all at the end.
access-list 1 permit 10.92.1.0 0.0.0.255 access-list 1 permit 192.168.1.0 0.0.0.255
and i am adding the following line to the vty lines when it fails
access-class 1 in
07-25-2019 09:16 AM
also forgot to mention i tried both listed methods and it did not work.
07-25-2019 09:42 AM
figured it out....
This router is using vrf's and when you are using vrf's you need to add vrf-also to the vty lines or else it will not route correctly.
access-class Limit_SSH in vrf-also
07-25-2019 09:53 AM
Thanks for the update. Glad to know that you found the solution to your problem. We should have noticed the vrf use.
HTH
Rick
07-25-2019 09:47 AM - last edited on 01-22-2023 10:23 PM by Translator
The original post had
access-class
applied out but not in for vty 0 4 and that was a problem that would have allowed incoming SSH. But I am not clear why the more recent config which uses a number standard
access list
and applies it "in" is not working. Are you sure that your SSH request has its source address as either 10.92.1.0/24 or 192.168.1.0/24?
Just to be sure that I am understanding the situation correctly, in the current config without configuring
access-class 1
in then SSH is successful. But when you configure
access-class 1
in on the vty then SSH fails?
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: