cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1518
Views
15
Helpful
8
Replies

Block External SSH and Login Without aaa

Zygodactyl
Level 1
Level 1

So I can't seem to figure out how to do this. 

On an perimeter router I just want to block any incoming SSH traffic to the router except from three internal subnets. Then i also want to authenticate with a local account and not leverage aaa. so the result is not one can directly externally connect to the router via SSH but i can still SSH into our router internally using local accounts. 

it seems that i can't selectively block SSH traffic without aaa and I can't login with local account with aaa.

This seems to me that this should be very simple to configure. 

 

 

Current configuration : 5161 bytes
!
! Last configuration change at 21:52:47 UTC Wed Jul 24 2019 by <redact>
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname ISR4431
!
boot-start-marker
boot system bootflash:/isr4400-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 <redact>
!
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
!
ip vrf Internet
 rd 2:2
!
ip vrf MPLS
 rd 1:1
!
!
!

ip domain name <redact>
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4431/K9 sn <redact>
license boot level securityk9
!
spanning-tree extend system-id
!
username <redact> access-class 15 secret 8 <redact>
username <redact> access-class 15 secret 8 <redact>
!
redundancy
 mode none
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 description LAN-VRF-MPLS
 ip vrf forwarding MPLS
 ip address 10.92.1.254 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0/0/1
 description LAN-VRF-Internet
 ip vrf forwarding Internet
 ip address <redact>
 negotiation auto
!
interface GigabitEthernet0/0/2
 description WAN-VRF-MPLS
 ip vrf forwarding MPLS
 ip address <redact> <redact>
 negotiation auto
!
interface GigabitEthernet0/0/3
 description WAN-VRF-Internet
 ip vrf forwarding Internet
 ip address <redact>
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address <redact>
 negotiation auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0/0/0

ip ssh version 2
!
!
ip access-list standard Limit_SSH
 permit 10.92.1.0 0.0.0.255
 permit 10.91.3.0 0.0.0.255
 permit 192.168.1.0 0.0.0.255
 deny   any
!
access-list 1 permit 10.92.1.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 deny   udp any eq 22 any
access-list 101 deny   tcp any eq 22 any
access-list 101 permit ip any any
!
!
!
!
!
control-plane
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class Limit_SSH out
 transport input ssh
 transport output ssh
line vty 5 15
 access-class Limit_SSH in
 access-class Limit_SSH out
 transport input ssh
 transport output ssh
!
1 Accepted Solution

Accepted Solutions

figured it out....

 

This router is using vrf's and when you are using vrf's you need to add vrf-also to the vty lines or else it will not route correctly. 

 

access-class Limit_SSH in vrf-also

View solution in original post

8 Replies 8

Hello,

 

if you don't want to use aaa, you need to configure 'login local' on the lines and define local user acounts:

 

username admin privilege 15 password 0 cisco

line vty 0 4
access-class Limit_SSH out

login local
transport input ssh
transport output ssh
line vty 5 15
access-class Limit_SSH in
access-class Limit_SSH out

login local
transport input ssh
transport output ssh

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

@Georg Pauwen answer is correct, but if you did want to use AAA, then you simply need to create a AAA method which uses the local user store only:

!
username foo priv 15 secret bar
!
aaa authentication login LOCAL_ONLY local
!
line vty 0 4
login authentication LOCAL_ONLY
access-class Limit_SSH in
!

cheers,

Seb.

Weird so i removed aaa and i can't ssh from 192.168.1.0/24 i get a connection refused

 

wtf am i missing, the hops from endpoint to that router are 192.168.1.148 > 192.168.1.100 another router > 10.92.1.254 the ISR

 

Do i need to remove the SSH in policy or something? 

wow this is infuriating...

 

i have made the most basic vty config i can think of. and the second i add a

access-list

via the

access-class

command i get a connection refused 

line con 0
 login local
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login local
 transport input ssh
 transport output none
line vty 5 15
 login local
 transport input ssh
 transport output none

 

here is the

access-list

which should have a implied deny all at the end.

 

access-list 1 permit 10.92.1.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255

and i am adding the following line to the vty lines when it fails

access-class 1 in

also forgot to mention i tried both listed methods and it did not work. 

figured it out....

 

This router is using vrf's and when you are using vrf's you need to add vrf-also to the vty lines or else it will not route correctly. 

 

access-class Limit_SSH in vrf-also

Thanks for the update. Glad to know that you found the solution to your problem. We should have noticed the vrf use.

 

HTH

 

Rick

HTH

Rick

The original post had

access-class

applied out but not in for vty 0 4 and that was a problem that would have allowed incoming SSH. But I am not clear why the more recent config which uses a number standard

access list

and applies it "in" is not working. Are you sure that your SSH request has its source address as either 10.92.1.0/24 or 192.168.1.0/24?

 

Just to be sure that I am understanding the situation correctly, in the current config without configuring

access-class 1

in then SSH is successful. But when you configure

access-class 1

in on the vty then SSH fails?

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: