?
Solved

Cisco ISO ACL Question

Posted on 2013-05-18
8
Medium Priority
?
383 Views
Last Modified: 2013-05-18
Good day,

I have a 3750 with layer 3 that is being used for some routing, so each of the VLANs has an IP.  I want to deny SSH and SNMP on all of the VLAN interfaces except for VLAN 5 in the example below.  (SSH/SNMP is permitted to targets within each of the VLANs, just not the interface). What am I missing in the code below?

I am open to suggestions, but unable to change the architecture at this point.  Thanks for your help

ip access-list extended Denyp-SSH-SNMP
 deny tcp any any eq 22
 deny tcp any any eq 161
 deny udp any any eq 161

interface vlan 2
 ip address 1.1.2.1 255.255.255.0
 ip access-group Deny-SSH-SNMP in

interface vlan 3
 ip address 1.1.3.1 255.255.255.0
 ip access-group Deny-SSH-SNMP in

interface vlan 4
 ip address 1.1.4.1 255.255.255.0
 ip access-group Deny-SSH-SNMP in

interface vlan 5
 ip address 1.1.5.1 255.255.255.0 in

Open in new window

0
Comment
Question by:jchauncey60
  • 4
  • 2
  • 2
8 Comments
 
LVL 17

Expert Comment

by:surbabu140977
ID: 39177493
Try using "out"........ not "in".......

interface vlan 4
 ip address 1.1.4.1 255.255.255.0
 ip access-group Deny-SSH-SNMP out

Your understanding of acl working for SVI is a bit flawed......
0
 

Author Comment

by:jchauncey60
ID: 39177613
Thanks for the reply, but no joy on the answer.  When I apply the ACL with 'out' I am still able to access the management console on that VLAN
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 39177625
1) My bad.

2) Thank god it did not work. You would be thrown out of the switch then. Your acl has no permit statement at the end. So it's as good as deny ALL. There should have been a permit ip any any at the last of the ACL. (In the future put a permit statement if you are denying anything in acl. ACL has an implicit deny all at the last)

Hopefully following would solve your issue.

##############################
ip access-list extended Denyp-SSH-SNMP
(config-ext-nacl)#permit tcp any any eq 22
(config-ext-nacl)#permit udp any any eq 161
(config-ext-nacl)#permit tcp any any eq 161

(config-ext-nacl)#vlan access-map MY_DENY
(config-access-map)#action drop
(config-access-map)#match ip address Denyp-SSH-SNMP
(config-access-map)#vlan access-map MY_DENY
(config-access-map)#action forward
(config-access-map)#exit

(config)#vlan filter MY_DENY vlan-list 2,3,4,5  (OR you can use 2-5)
##########################

Router-based Access Control List doesn't work here. We need VLAN Access Control List.

Best,
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:jchauncey60
ID: 39177659
Thanks again for the reply, still not having joy.  After implementing the code below I can still access the ssh management server on VLAN 39,40,221,496.  (It also still works on my other VLANs, 640-643 which is ok).  Other suggestions, I do appreciate the assistance?


ip access-list extended Deny_SSH_PublicIP
permit tcp any host 10.2.211.1 eq 22
permit tcp any host 10.2.212.1 eq 22
permit tcp any host 10.2.213.1 eq 22
permit tcp any host 10.2.221.1 eq 22
permit tcp any host 10.2.225.65 eq 22
exit



vlan access-map VACL_STOP_SSH_PublicIP
action drop
match ip address Deny_SSH_PublicIP
vlan access-map VACL_STOP_SSH_PublicIP
action forward
exit


vlan filter VACL_STOP_SSH_PublicIP vlan-list 39,40, 221, 496

Open in new window

0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39177665
Create an ACL for SSH access to the switch and configure it on the vty lines instead of the SVIs.

Create an ACL for SNMP and apply it to the SNMP string you've configured on the switch.
0
 

Author Comment

by:jchauncey60
ID: 39177685
Craig, thanks for the response.  Can you give me an example?
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 39177715
access-list 1 remark ACL for SSH
access-list 1 permit 1.1.5.0 0.0.0.255
!
access-list 2 remark ACL for SNMP
access-list 2 permit host 1.1.5.10
!
snmp-server community READ RO 2         !(this tells the SNMP string to only answer to access-list 2)
!
line vty 0 4
 transport input ssh
 access-class 1 in           !(this tells the vty lines 0-4 to use access-list 1)

Open in new window


access-list 1 will allow any host on VLAN5 to use SSH to connect to the switch.  You can allow the whole subnet (as in my example) or you can specify hosts to allow.

access-list 2 will allow only host 1.1.5.10 to connect to the switch using the READ SNMP string.

Even though we're not applying the ACLs to all the interfaces, the switch will drop all traffic from hosts not mentioned in the ACL due to the implicit deny rule at the end of the ACL.  We're tying the ACL to the protocol, so it's not interface-dependent.
0
 

Author Comment

by:jchauncey60
ID: 39177739
Craig, thanks again.  This is not exactly what I was wanting to do (allow access to VLAN 643 from anywhere) but accomplishes the task so the network scanner cannot see the open SSH port on the public IP addresses (the listed VLANs are public).

Thanks for your assistance on this...have a great day.
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

568 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question