Restricting telnet/ssh access to loopback address

Unanswered Question
Sep 21st, 2009
User Badges:

Hi,


I've been requested to restrict telnet/ssh access to the loopback address only.


I've been attempting to do this using access lists however the access lists either block access to all interfaces or allows access to no interfaces.


Any and all help in this is appreciated.


Below are the configs I have been trying. This is for telnet only.


! loopback address I want to restrict access to


interface Loopback0

ip address 10.20.254.1 255.255.255.255


! interface not to be able to telnet to


interface FastEthernet0/0

ip address 10.20.10.1 255.255.255.0


!access-list 101 in is applied to line vty 0 4


line vty 0 4

access-class 101 in


!Below gets to both interfaces


access-list 101 perm tcp any any eq telnet

access-list 101 deny tcp any any


sh access-list 101

Extended IP access list 101

10 permit tcp any any eq telnet (4 matches)

20 deny tcp any any


!The below stopped both interfaces being accessed.


access-list 101 perm tcp any host 10.20.254.1 (loopback address) eq telnet

access-list 101 deny tcp any any


sh access-l 101

Extended IP access list 101

10 permit tcp any host 10.20.254.1 eq telnet

20 deny tcp any any (2 matches)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Joe Clarke Mon, 09/21/2009 - 17:23
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You can do this with control-plane policing (CoPP). For example:


access-list 101 deny tcp any host 10.20.254.1 eq telnet

access-list 101 permit tcp any any eq telnet

access-list 101 deny ip any any


class-map match-all matchtelnet

match access-group 101


policy-map filtertelnet

class matchtelnet

drop


control-plane

service-policy input filtertelnet


Note: the ACL above looks like the opposite of what you want, but really you're matching traffic you do NOT want, then dropping it in the policy-map.


The net effect will be that all TCP traffic is allowed to this device OTHER than tcp/23 traffic unless the destination address is 10.20.254.1.

boxhallbr Mon, 09/21/2009 - 18:50
User Badges:

Fantastic. I'm still trying to get my head around it but it works. Need to look at the backward logic.


Thanks for help.

boxhallbr Tue, 10/13/2009 - 16:27
User Badges:

Hi,


You supplied the above answer last month and, when I tested it on a 1841 router it worked fine.


My problem is when I tried to apply it to a 3750 layer 3 switch. The drop command on the policy-map didn't take nor did the service-policy input command on the control-plane (output below).


Any and all help will be appreciated.


router(config-cmap)#policy-map filtertelnet

router(config-pmap)#class matchtelnet

router(config-pmap-c)#drop

^

% Invalid input detected at '^' marker.


router(config-pmap-c)#

router(config-pmap-c)#control-plane

router(config-cp)#service-policy input filtertelnet

QoS: policymap is supported on physical, VLAN, and ES interfaces only

Service Policy attachment failed

error: failed to install policy map filtertelnet

router(config-cp)#

Joe Clarke Tue, 10/13/2009 - 16:42
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Control-plane policing is not supported on the 3750 platform. This solution will not work there.

boxhallbr Tue, 10/13/2009 - 16:59
User Badges:

Thanks.


Is there any other way of restricting remote access to single interfaces on the 3750 switches?

Joe Clarke Tue, 10/13/2009 - 17:09
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Interface ACLs are the only other way to go. Create an ACL that only permits telnet to the desired interface, then apply it to all IP interfaces on the switch.

boxhallbr Tue, 10/20/2009 - 15:23
User Badges:

Joe,


Tested the access list on a test box and it work fine. Before I start applying it on all devices thought I would get you to have a quick look.


Does the below look correct?


Want to connect to IP address 10.1.112.5.


ip access-list extended RemoteAccess

permit tcp any host 10.1.112.5 eq telnet

deny tcp any any eq telnet

permit ip any any


Then apply the access list


interface Vlan210

ip address 10.2.112.5 255.255.252.0

ip access-group RemoteAccess in

!

interface Vlan410

ip address 10.1.112.5 255.255.252.0

ip access-group RemoteAccess in

!


Thanks again for your help.

Joe Clarke Tue, 10/20/2009 - 15:26
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

This looks okay to me.

Actions

This Discussion