Locking access to SSH on Cisco SDWAN

Tim_J_RC · ‎07-29-2020

Is there a way to lockdown management access to a Cisco SDWAN device similiar to using Access lists on VTY ports on IOS routers? We are trying to harden our vEdges 1000's.

Thanks,

LeonardoFernandez5618 · ‎08-01-2020

Like in IOS routers ACLs can also be configured and applied to vEdges WAN interfaces for Access Control.

Could be something like this.

policy

access-list AllowManagement
sequence 10
match
source-ip (Source IP for SSH Management)
!
action accept
count ManagementPackets
!
!
sequence 20
match
destination-port 22
!
action drop
count ssh_drop
!
!
default-action accept

------------------------

vpn 0
interface ge0/0

description "Wan Interface"
access-list AllowManagement in

-------------------------------------

Please check the following URL for more detail.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/command/sdwan-cr-book/config-cmd.html#wp4108860411

Jayson Velasco · ‎08-01-2020

By default, TLS and IPSec are the only ones allowed on the Transport side, for example, apart from protocols vEdge needs for ZTP/PnP Connect. Given this, the device is in "lockdown" even after deployment unless a policy on vManage has SSH services permitted.

Check "Serviceability for Next Generation SD-WAN - BRKCRS-2112" at 1:12:44 in Cisco Live as well.

! From vEdge Default Configuration reference from Cisco
vpn 0
interface ge2/0
  ip dhcp-client
  tunnel-interface
   encapsulation ipsec
   no allow-service bgp
   allow-service dhcp
   allow-service dns
   allow-service icmp
   no allow-service sshd
   no allow-service netconf
   no allow-service ntp
   no allow-service ospf
   no allow-service stun
  !
  no shutdown
 !
!
vpn 512
interface mgmt0
  ip address 192.168.1.1/24
  no shutdown
!

Hope this helps, Tim. :)