That was the original solution. I tried an alternate solution :-) With regards Kings
On Thu, May 3, 2012 at 7:15 PM, Matt Manire <[email protected]> wrote: > Kings, > > > > What about adding control plane protection on the interface to limit the > connects to SSH? If you use the control plan protection along with your > FPM config it may satisfy the question. > > > > Control-plane host > > Management-interface fastethernet 0/1 > > > > Thanks, > > > > *Matt Manire* > *CCSP, CCNP, CCDP, MCSE* *2003 & MCSE 2000* > *Information Systems Security Manager* > [email protected] > *t*: 817.525.1863 > *f*: 817.525.1903 > *m*: 817.271.9165 > > *First Rate* | 1903 Ascension Boulevard | Arlington, TX 76006| > www.FirstRate.com <http://www.firstrate.com/> > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Thursday, May 03, 2012 4:58 AM > > *To:* Eugene Pefti > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] FPM to restrict vty access > > > > We can use HEX or decimal in FPM. > > Only ZFW policy maps have class default with default of drop action. > > > > With regards > Kings > > On Thu, May 3, 2012 at 1:36 PM, Eugene Pefti <[email protected]> > wrote: > > One more look at your question produced another thought. > > Don't we have to use port numbers in HEX ? In your case it should be > "match field TCP dest-port 0x16" for SSH port 22 > > > > Secondly, in your particular task, Kings, can't we make do with just one > class-map of stack type by matching the source address and TCP port as > follows: > > > > Class-map type stack match-all IP-TCP-STACK > > Match field IP protocol eq 0x6 next TCP > > Match field IP source-addr eq 4.8.6.0 mask 255.255.255.0 > > match field TCP dest-port eq 0x16 next IP > > > > As far as I understand you don't have to look into the payload of the > packet to match for more regex or bits. Then your policy-map would > reference this class-map and the default class-map would drop everything > else > > > > Eugene > > > > *From: *Kingsley Charles <[email protected]> > *Date: *Wed, 2 May 2012 21:17:05 +0530 > > > *To: *<[email protected]> > *Subject: *[OSL | CCIE_Security] FPM to restrict vty access > > > > Hi all > > The task asks to allow ssh only from 4.8.6.0/24 and the restriction is > that we should not use access-lists. So FPM is the only answer. > > In the following config, class-map get's matched and 4.8.6.0/24 is > allowed in. The issue is that I need a wildcard class-map to block other > ssh connections. But that doesn't > work in the following solution. > > > class-map type access-control match-all telblk > match field TCP dest-port eq 22 > > class-map type access-control match-all vlan6 > match field TCP dest-port eq 22 > match field IP source-addr eq 4.8.6.0 mask 0.0.0.255 > > class-map type stack match-all tcp > stack-start l2-start > match field ETHER type eq 0x800 next IP > match field IP protocol eq 6 next TCP > > > policy-map type access-control ssh > class vlan6 > class telblk > drop > > policy-map type access-control tcp > class tcp > service-policy ssh > > control-plane > service-policy type access-control input tcp > > > The following two alternative class-maps also doesn't work > > class-map type access-control match-all telblk > match field ip source-addr range 0.0.0.0 255.255.255.255 > > class-map type access-control match-all telblk > match field ip source-addr 0.0.0.0 mask 255.255.255.255 > > > > > > With regards > Kings > > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
