Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ISO ACL Question

Posted on 2013-05-18
8
Medium Priority
?
377 Views
Last Modified: 2013-05-18
Good day,

I have a 3750 with layer 3 that is being used for some routing, so each of the VLANs has an IP.  I want to deny SSH and SNMP on all of the VLAN interfaces except for VLAN 5 in the example below.  (SSH/SNMP is permitted to targets within each of the VLANs, just not the interface). What am I missing in the code below?

I am open to suggestions, but unable to change the architecture at this point.  Thanks for your help

ip access-list extended Denyp-SSH-SNMP
 deny tcp any any eq 22
 deny tcp any any eq 161
 deny udp any any eq 161

interface vlan 2
 ip address 1.1.2.1 255.255.255.0
 ip access-group Deny-SSH-SNMP in

interface vlan 3
 ip address 1.1.3.1 255.255.255.0
 ip access-group Deny-SSH-SNMP in

interface vlan 4
 ip address 1.1.4.1 255.255.255.0
 ip access-group Deny-SSH-SNMP in

interface vlan 5
 ip address 1.1.5.1 255.255.255.0 in

Open in new window

0
Comment
Question by:jchauncey60
  • 4
  • 2
  • 2
8 Comments
 
LVL 17

Expert Comment

by:surbabu140977
ID: 39177493
Try using "out"........ not "in".......

interface vlan 4
 ip address 1.1.4.1 255.255.255.0
 ip access-group Deny-SSH-SNMP out

Your understanding of acl working for SVI is a bit flawed......
0
 

Author Comment

by:jchauncey60
ID: 39177613
Thanks for the reply, but no joy on the answer.  When I apply the ACL with 'out' I am still able to access the management console on that VLAN
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 39177625
1) My bad.

2) Thank god it did not work. You would be thrown out of the switch then. Your acl has no permit statement at the end. So it's as good as deny ALL. There should have been a permit ip any any at the last of the ACL. (In the future put a permit statement if you are denying anything in acl. ACL has an implicit deny all at the last)

Hopefully following would solve your issue.

##############################
ip access-list extended Denyp-SSH-SNMP
(config-ext-nacl)#permit tcp any any eq 22
(config-ext-nacl)#permit udp any any eq 161
(config-ext-nacl)#permit tcp any any eq 161

(config-ext-nacl)#vlan access-map MY_DENY
(config-access-map)#action drop
(config-access-map)#match ip address Denyp-SSH-SNMP
(config-access-map)#vlan access-map MY_DENY
(config-access-map)#action forward
(config-access-map)#exit

(config)#vlan filter MY_DENY vlan-list 2,3,4,5  (OR you can use 2-5)
##########################

Router-based Access Control List doesn't work here. We need VLAN Access Control List.

Best,
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:jchauncey60
ID: 39177659
Thanks again for the reply, still not having joy.  After implementing the code below I can still access the ssh management server on VLAN 39,40,221,496.  (It also still works on my other VLANs, 640-643 which is ok).  Other suggestions, I do appreciate the assistance?


ip access-list extended Deny_SSH_PublicIP
permit tcp any host 10.2.211.1 eq 22
permit tcp any host 10.2.212.1 eq 22
permit tcp any host 10.2.213.1 eq 22
permit tcp any host 10.2.221.1 eq 22
permit tcp any host 10.2.225.65 eq 22
exit



vlan access-map VACL_STOP_SSH_PublicIP
action drop
match ip address Deny_SSH_PublicIP
vlan access-map VACL_STOP_SSH_PublicIP
action forward
exit


vlan filter VACL_STOP_SSH_PublicIP vlan-list 39,40, 221, 496

Open in new window

0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39177665
Create an ACL for SSH access to the switch and configure it on the vty lines instead of the SVIs.

Create an ACL for SNMP and apply it to the SNMP string you've configured on the switch.
0
 

Author Comment

by:jchauncey60
ID: 39177685
Craig, thanks for the response.  Can you give me an example?
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 39177715
access-list 1 remark ACL for SSH
access-list 1 permit 1.1.5.0 0.0.0.255
!
access-list 2 remark ACL for SNMP
access-list 2 permit host 1.1.5.10
!
snmp-server community READ RO 2         !(this tells the SNMP string to only answer to access-list 2)
!
line vty 0 4
 transport input ssh
 access-class 1 in           !(this tells the vty lines 0-4 to use access-list 1)

Open in new window


access-list 1 will allow any host on VLAN5 to use SSH to connect to the switch.  You can allow the whole subnet (as in my example) or you can specify hosts to allow.

access-list 2 will allow only host 1.1.5.10 to connect to the switch using the READ SNMP string.

Even though we're not applying the ACLs to all the interfaces, the switch will drop all traffic from hosts not mentioned in the ACL due to the implicit deny rule at the end of the ACL.  We're tying the ACL to the protocol, so it's not interface-dependent.
0
 

Author Comment

by:jchauncey60
ID: 39177739
Craig, thanks again.  This is not exactly what I was wanting to do (allow access to VLAN 643 from anywhere) but accomplishes the task so the network scanner cannot see the open SSH port on the public IP addresses (the listed VLANs are public).

Thanks for your assistance on this...have a great day.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question