Simple SSH Access-List Question
I am enabling SSH access for all of our Cisco devices and want to restrict access to just the following ip addresses: 192.168.200.1-192.168.200.50. I forgot the exact access-list configuration to accomplish this. The subnet is /24 and I don't want the whole subnet - just .1 - .50.
Thank you,
Thomas Reiling
Hi there,
If using ssh make sure you have a domain name, host name and a generated rsa key. Assuing you've done that, the the following ACL and line vty command will do the trick. Note that the 1-50 host list is not on a subnet barrier.
To get it exactly
access-list 1 remark ALLOW MANAGEMENT
access-list 1 permit 192.168.200.0 0.0.0.31
access-list 1 permit 192.168.200.32 0.0.0.15
access-list 1 permit 192.168.200.48 0.0.0.1
access-list 1 host 192.168.200.50
access-list 1 deny any log
It would be a good idea to put it on a boundary though, so the following would be much more simpler and easier to read.
access-list 1 remark ALLOW MANAGEMENT
access-list 1 permit 192.168.200.0 0.0.0.63
access-list 1 deny any log
Apply the access-class on the vty lines and depending on authentication, i'd put something there too.
line vty 0 4
access-class 1 in
transport input ssh
password blahblah
That ought to do it.
good luck!
Brad
Similar Messages
-
Hello,
any suggestions why the following ACL will not apply?
access-list 100 permit udp any host 192.168.155.18 eq domain
access-list 100 permit tcp any host 192.168.155.18 eq domain
access-list 100 permit tcp any host 192.168.155.18 established
access-list 100 deny udp any host 192.168.155.18
access-list 100 deny tcp any host 192.168.155.18
access-list 100 permit ip any any
interface GigabitEthernet0/2.16
description Subnetz 192.168.155.16/28
encapsulation dot1Q 16
ip address 192.168.155.17 255.255.255.240
ip access-group 100 in
The server 192.168.155.18 should only answer on requests on port 53 (tcp and udp). IOS image is c7200-jk9s-mz.124-25c.bin. Applied this access-list I can still connect through any other port like ssh and so on.
Thanks,
ThomasHi Rick,
no there is no NAT or other things turned on on this device.
Router#sh ip access-list 100
Extended IP access list 100
10 permit udp any host 192.168.155.18 eq domain (379 matches)
20 permit tcp any host 192.168.155.18 eq domain (5 matches)
30 permit tcp any host 192.168.155.18 established (1 match)
40 deny udp any host 192.168.155.18 (788 matches)
50 deny tcp any host 192.168.155.18 (79 matches)
60 permit ip any any (562 matches)
Router#sh ip int gi0/2.16
GigabitEthernet0/2.16 is up, line protocol is up
Internet address is 192.168.155.17/28
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is disabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are never sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is enabled
IP CEF switching is enabled
IP Flow switching turbo vector
IP Flow CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, Flow cache, CEF, Full Flow
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
Reminder: 192.168.155.18 is fictive IP address because it was changed only for this post here.
Thanks,
Thomas -
Hi,
I want to create an access-list that will allow any host to ssh to the Management address of a switch but, only the
Management address. Does this look like a clean way to do this?
ip access-list extended SSH_ACCESS
permit udp Management VLAN ip any eq 22
permit tcp Management VLAN ip any eq 22
deny udp any other switch ips eq 22
deny tcp any other switch ips eq 22
permit ip any any
line vty 0 15
ip access-group SSH_ACCESS
Thank you, Pat.Hi
In IOS Version 12.4 its work likes that only. Can anyone try this in IOS version 15?
R2#
R2#sh ip int br | i up
FastEthernet0/0 192.168.10.2 YES manual up up
R2#
R2#
R2#telnet 192.168.10.1 /so fa0/0
Trying 192.168.10.1 ... Open
R1#
R1#
R1#sh ip access-list 100
Extended IP access list 100
10 permit tcp host 192.168.10.2 host 192.168.10.1 eq telnet log
20 permit tcp host 192.168.10.2 any eq telnet log (8 matches)
30 permit tcp any any eq telnet log
R1#
R1#
R1#
R1#sh ver | i Version
Cisco IOS Software, 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)
ROM: 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)
R1# -
Hi,
Can somebody explain me when to use "established" word at the end of access-list."established" is a keyword used in the automatically generated ACLs for TCP return connections.
check for this URL to get more infirmation.
http://www.cisco.com/univercd/cc/td/doc/solution/sesm/sesm_320/webprtal/7fire.htm#1110326
hope it helps ... rate if it does ... -
so we have a NAC in our lab, set up as L3 OOB....we have a vlan set up for internet only access..a route map is configured on the CORE to send the internet only traffic back to the NAC for restrictions (to mimic the inband solution)......in our unauthenticated role policy, we set up the access list on a vlan to only access the internet and block internal address...the weird thing is, the access list on the NAC works on any internal addresses, but when the pc pings/telnets the CORE itself (and any mgnt ip addresses) it works?????....anybody know the reason why...im sure a workaroud is to put an acl on the CORE itself to block that...
Hope my drawing is enough to assist.....
CORE--------l3 switch--------pc
|
|
|
NACThat's a great idea - the ACL on the management interfaces of the devices.
Is the ACL for the unauthenticated role on the L3 switch or the Core?
I would guess it is on the L3 switch, since it is likely the default gateway for that unauth vlan.
peter -
Hi,
I have an access-list with the following line...
permit ip host 65.119.114.3 62.140.152.0 0.0.0.31
and its crypto ipsec sa shows up as this, with no packets encaps or decaps.
protected vrf:
local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.224/0/0)
current_peer: 62.140.138.249:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#send errors 0, #recv errors
I also show a crypto ipsec sa which doesn't correspond directly to my accesslist. This is the second time I've seen this... is there any part of IPsec where the access-list are shared with the other end? i didn't think so, but I'm not sure how we got this, if not.
protected vrf:
local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.252/0/0)
current_peer: 62.140.138.249:500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 22, #pkts decrypt: 22, #pkts verify: 22
#send errors 0, #recv errors 0
Thanks!!Can you post the configuration from this device.
Regards,
Arul -
Simple MAC access control question on 5508
We are forced to rush a installation of a WLC 5508 various reasons in a testing lab. I eventually want to configure RADIUS and such but cannot do it at this immediate time. What I would like to do is impliment straight forward MAC filtering. The problem I am having is the controller allows either any WLAN or only one WLAN, and a interface setting. I need to have each MAC be able to access several WLAN's but not all of them. Can anyone point me to a artcle or give me a quick idea of what I can do.I have basic WLAN's configured and have MAC filtering generally working. I cannot just use a user authentication becasue each user may have 20-30 devices, but not all of these devices should be allowed on all WLAN's and I do not want to rely on the user.
Thank youLooks like it is applicable only if AAA is configured for that WLAN.
– interface_name
—The name of the interface. This interface name is used to override the interface configured to the WLAN.
Note You must have AAA enabled on the WLAN to override the interface name.
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70wlan.html#wpmkr1222223 -
Simple Spark Dropdown List Question
Hello,
In my interface, I have a drop down list. When the user changes the value, I'm trying to throw up an alert window ( 'are you sure...') because the change has a ripple effect. Everything works fine except when the user makes their selection from the Alert window, the dropdown list stays open. I've tried the 'closeDropDown' method, but that doesn't seem to work. I thought it might be because of the Alert control, but I'm not sure.
Any help or a nudge in the right direction to where I can find an answer would be appreciated.First, thanks for responding.
I was throwing up the alert window on the 'change' (and also unsuccessfully the 'changing') event of the drop down list. After reading your response, I tried throwing it up on the 'close' event of the dropdown list, which worked. -
Here is an access list I want to know if I can "clean up" :
access-list outside_access_in extended permit tcp any host 192.168.0.81 eq 7500
access-list outside_access_in extended permit tcp any host 192.168.0.202 eq 3389
access-list outside_access_in extended permit object RDP any any
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 7500
access-list outside_access_in_1 extended permit object RDP any object FileServer
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53827
access-list outside_access_in_1 extended permit tcp any object New_Server eq 3389
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53828
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53829
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53830
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53850
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53810
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53855
access-list outside_access_in_1 extended permit tcp any object New_Server eq telnet
access-list outside_access_in_1 extended permit tcp any object New_Server eq 55443
access-list outside_access_in_1 extended permit tcp any object New_Server eq 7500
access-list outside_access_in_1 extended permit tcp any object DattoDevice eq ssh
access-list outside_access_in_1 extended permit udp any object DattoDevice eq ntp
access-list outside_access_in_1 extended permit icmp any object DattoDevice
access-list RemoteVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 156.30.21.200 255.255.255.248
access-list outside_cryptomap_1 extended permit ip object host-192.168.0.81 156.30.21.200 255.255.255.248
What is the significance of the _1 on most of these statements? Should/could I add an _1 to the top 4 lines to make this list symmetrical? I suspect some of these lines were created when they migrated over from a PIX501 to this ASA......Hi,
To my understanding the numbering in the format "_1" (and similiar) are generated by device when you configure it through the ASDM.
The "access-list" configurations for "outside_access_in" and "outside_access_in_1" are for 2 totally different ACLs.
I would imagine that only one of them it attached to your "outside" interface at the moment. You can check what ACLs are attached to the interfaces of the ASA with the command
show run access-group
You could add the same lines from the old ACL to the new ACL with the "_1" at the end but you probably wont need all the statements (if any). The first line of the ACL you seem to have in the new one already.
The second ACL line might be in the new ACL. I am not sure as it contains "object" configurations which hold the IP addresses that I cant see.
Same goes for the third line of the ACL. It contains an "object" configuration though it seems it allows RDP from "any" host to "any" host. You might already have the RDP rules for the required hosts but with this information I can not say whats the case.
The last (fourth) line of the ACL seems to be a RDP rule that previously allowed RDP connections towards a host that used the PIX firewalls "outside" interface as its public IP address. This wont be needed anymore as in the new software that you are using you always allow the traffic to the local IP address, even if there is a NAT conigured.
The ACL named "RemoveVPN_SplitTunnelAcl" is probably currently in the "group-policy" configurations of your VPN. I doubt you will have to touch this at all.
At the end of the post you have ACLs named "outside_cryptomap" and "outside_cryptomap_1". These seems to be ACLs configured for L2L VPN connections. Considering the destinatin subnet in both of these is identical I imagine that also only one of these is in actual use at the moment.
You can check what is in use with the command
show run crypto map
Hope this helps :)
- Jouni -
A simple report to list security access on all folders
Hi there
I want a simple report to list security access on all folders (group wise)
any help ...??
Thanks.
Rakesh.Hi AnTiiiKa,
For this issue, you can first retrieve all the users on the site, then get all permissions of each user. With this PowerShell Script you could retrieve all Permissions for a Specific User for a SiteCollection
on all Webs and Subwebs, Lists and Items. Here is an article about how to get all Roles and Groups from the User and the URL.
SharePoint SP2010 - Retrieve all User Permissions via PowerShell:
http://sp2010userperm.codeplex.com/
save the report to a csv (excel file):
$web = Get-SPWeb http://address/site/site/site
$user=$web.AllUsers
Get-SPWeb YOURURL | Get-SPUserEffectivePermissions $user | Export-Csv -NoTypeInformation
-Path c:\perms.csv
Please inform me freely if you have any questions.
Thanks -
ASR 5000 access list for ssh and telnet
Dears,
how can we apply an access list for telnet and ssh on asr 5k ?
please advise if this is feasible.
thx.Hello Joseph,
Sorry for the delay in response.
To control access to ASR5000 via telnet, other than configuring an ACL, there is a way to disable telnetd by configuring local context.
For example:
config
context local
no server telnetd
#exit
System Administration Guide of the relevant version will give you detailed information in this regard.
Here is the latest system admin guide (for SW version 17): http://www.cisco.com/c/dam/en/us/td/docs/wireless/asr_5000/17-0/PDF/17-ASR5000-Sys-Admin.pdf
You can find other guides here: http://www.cisco.com/c/en/us/support/wireless/asr-5000-series/products-installation-and-configuration-guides-list.html
Hope this helps..
Regards
Aneesh -
Questions on Reflexive Access Lists
Hi Sir,
I'm trying to protect a server farm using reflexive access lists. I also would like any hosts to originate connections to the servers on TCP ports 23 (telnet) and 25 (smtp).
The config on the core router is as follows:
int Vlan10
description *** Server Farm ***
ip address 172.16.10.1 255.255.255.0
ip access-group inboundfilters in
ip access-group outboundfilters out
int Vlan20
description *** Marketing Department ***
ip address 172.16.20.1 255.255.255.0
int Vlan30
description *** Engineering Department ***
ip address 172.16.30.1 255.255.255.0
ip access-list extended outboundfilters
permit tcp any any eq telnet
permit tcp any any eq smtp
evaluate iptraffic
ip access-list extended inboundfilters
permit ip any any reflect iptraffic
My questions:
(1) I yet to test the above config on an actual router. However, is it correct theoretically?
(2) If I were to allow outside hosts to initiate connections to the servers on more protocols/ports, I would be adding more normal "permit" statements in the outboundfilters ACL before the "evaluate" statement. Wouldn't this become very static-based, as far as security is concerned?
(3) If you have other better feature options that meet my requirements, please do recommend.
Please advise.
Thank you.
B.Rgds,
Lim TSHi Lim,
CBAC is good as well, considering the following features:
1. Traffic Filtering:
- filters TCP and UDP packets based on application-layer protocol session information.
- permit specified TCP and UDP traffic through a firewall when the connection is initiated from inside protected network, or outside network.
2. Traffic Inspection
- discover and manage state information for TCP and UDP sessions which is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.
- Protect against DoS attack by checking/verifying sequence no (must be within the expected range) and discard unknown packets. Same goes to attack via fragmented IP.
3. Alerts and Audit Trails
- can send real-time alerts and audit trails to syslog server (or buffer log)
4. Intrusion Detection
- Embedded with 59 well-known IDS signatures. Similar to IDS features in PIX.
Limitations:
1. Only protect protocol you specify. The rest will depend on ACL you have in the router but not up to session layer.
2. No protection for attacks originating from internal network, unless if you have firewall (pix/asa/ios-firewall) protection.
3. Only protect certain type of well-known attacks only - based on 59 embedded IDS signatures
For spoofing protection, i.e spoof attack from outside/common user segment, maybe you should apply RFC2827 (prevent IP on protected segment from coming back into that segment from outside). Make sure your ACL has the 'establish' keyword as well. As recommended by Cisco, you should apply multiple layer of security protection both on your router and other devices connected to it.
Cheers! -
WS-C3524-XL-EN , mac access-list , ssh ..
does this switch CATALYST 3500 24 PORT 10/100 SWITCH WITH 2 GBIC SLOTS, ENTERPRISE EDITION with last IOS running on, support SSH , and mac access-list to secure the port with mac
thanksThere is IOS software for the 3550 that supports ssh. You have to have cco login with priviledges - There is a "strong cryptographic (3DES) location on CCO for that software. Go to downloads for 3550 and look for the link.
-
Access-list port range question
Hi,
I would like to clarify the exact operation of the below command:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
ip access-list extended VoiceACL
permit udp any any range 16384 16387
Thus the range statement in the above access list specify that it allow only three ports "16384 to 16387". Is that correct ? Bit confused with this command. One of my friend said that the range statement not just specify 3 ports,but it specify the starting port as 16384 and the end port number 32771 [16384+16387].
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Value1] = starting port number
[Value2] + [Value1] = end port number
Thanks
NachiHi Nachi,
This represent the ports ranging between the first number and the last number included, in your case this is actually 4 ports: 16384, 16385, 16386 and 16387
Regards,
Raphael -
Hi All,
am I correct in asuming the following ACl
access-list inside_nonat_acl extended permit ip host 8.8.8.8 host 10.10.10.10
permits all ip traffic from 8.8.8.8 to 10.10.10.10? I'm a litle confused because of the nonat syntax in the acl name.
ThanksHi thanks for the reply,
I only have the .txt file so can't see if an interface has it applied. I dont understand what they have done as one line may have
allow 443 access to eg 10.10.10.10 from 4.4.4.4
then another line will have permit ip to from 4.4.4.4 to 10.10.10.10
signed
Confused
Maybe you are looking for
-
Adobe Photoshop CC Error After Windows Update
Hi. My Windows 8 automatically updated today and since then my Adobe Photoshop CC had been crashing. Everytime I try to edit a new work, the project flickers to black making it difficult to edit layers. When I choose to transform the layer, that is w
-
Problem with CPU?? need help badly
Hey guys, its been a sad two days for me.. I have the MSI k7T266 PRO, and yesterday while i was moving tires into my apartment, one of them fell hard on the floor and my computer shifted, i opened the pc to find out that the CPU fan has shifted from
-
Hi all, I am trying DB>XI>TIBCO (EMS). I have included tibjms.jar library in aii_af_jmsproviderlib.sda and deployed using SDM. In JMS receiver adapter I am using the following:- Transport protocol: Access JMS Provider with JNDI. JNDI Lookup Name of Q
-
Junk mail problem, using IMAP
I have many folders on my IMAP account and server-side rules to sort my e-mail. Mail correctly synchronizes all these folders (almost, it sometimes shows a wrong number of new messages until I open the folder. But that's a minor issue). The problem i
-
PSE 12 has stopped working and will not open.
PSE 12 suddenly stopped working while editing. I tried restarting the Organizer which opens but does not finish loading after a few seconds, and gives an error message ... "A problem caused the program to stop working correctly. Windows will close