Yes, you can do that with local PBR. But the disadvantage is that you can't drop the request inbound rather only drop the response going out from the router with src port of 22.
With regards Kings On Thu, May 3, 2012 at 8:35 PM, Matt Manire <[email protected]> wrote: > Ok, what about configuring a route-map policy to send everything that > does not match 4.8.6.0/24 to 0.0.0.0 on port 22 to Null0? > > > > *Matt Manire* > *CCSP, CCNP, CCDP, MCSE* *2003 & MCSE 2000* > *Information Systems Security Manager* > [email protected] > *t*: 817.525.1863 > *f*: 817.525.1903 > *m*: 817.271.9165 > > *First Rate* | 1903 Ascension Boulevard | Arlington, TX 76006| > www.FirstRate.com <http://www.firstrate.com/> > > > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Thursday, May 03, 2012 9:54 AM > *To:* Matt Manire > *Cc:* Eugene Pefti; [email protected] > > *Subject:* Re: [OSL | CCIE_Security] FPM to restrict vty access > > > > OK both FPM and mgmt-intf. Still, in that interface any host will allowed > to access ssh. This will not satisfy the task. > > With regards > King > > On Thu, May 3, 2012 at 8:21 PM, Kingsley Charles < > [email protected]> wrote: > > That was the original solution. I tried an alternate solution :-) > > With regards > Kings > > > > On Thu, May 3, 2012 at 7:15 PM, Matt Manire <[email protected]> wrote: > > Kings, > > > > What about adding control plane protection on the interface to limit the > connects to SSH? If you use the control plan protection along with your > FPM config it may satisfy the question. > > > > Control-plane host > > Management-interface fastethernet 0/1 > > > > Thanks, > > > > *Matt Manire* > *CCSP, CCNP, CCDP, MCSE* *2003 & MCSE 2000* > *Information Systems Security Manager* > [email protected] > *t*: 817.525.1863 > *f*: 817.525.1903 > *m*: 817.271.9165 > > *First Rate* | 1903 Ascension Boulevard | Arlington, TX 76006| > www.FirstRate.com <http://www.firstrate.com/> > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Thursday, May 03, 2012 4:58 AM > > > *To:* Eugene Pefti > *Cc:* [email protected] > > *Subject:* Re: [OSL | CCIE_Security] FPM to restrict vty access > > > > We can use HEX or decimal in FPM. > > Only ZFW policy maps have class default with default of drop action. > > > > With regards > Kings > > On Thu, May 3, 2012 at 1:36 PM, Eugene Pefti <[email protected]> > wrote: > > One more look at your question produced another thought. > > Don't we have to use port numbers in HEX ? In your case it should be > "match field TCP dest-port 0x16" for SSH port 22 > > > > Secondly, in your particular task, Kings, can't we make do with just one > class-map of stack type by matching the source address and TCP port as > follows: > > > > Class-map type stack match-all IP-TCP-STACK > > Match field IP protocol eq 0x6 next TCP > > Match field IP source-addr eq 4.8.6.0 mask 255.255.255.0 > > match field TCP dest-port eq 0x16 next IP > > > > As far as I understand you don't have to look into the payload of the > packet to match for more regex or bits. Then your policy-map would > reference this class-map and the default class-map would drop everything > else > > > > Eugene > > > > *From: *Kingsley Charles <[email protected]> > *Date: *Wed, 2 May 2012 21:17:05 +0530 > > > *To: *<[email protected]> > *Subject: *[OSL | CCIE_Security] FPM to restrict vty access > > > > Hi all > > The task asks to allow ssh only from 4.8.6.0/24 and the restriction is > that we should not use access-lists. So FPM is the only answer. > > In the following config, class-map get's matched and 4.8.6.0/24 is > allowed in. The issue is that I need a wildcard class-map to block other > ssh connections. But that doesn't > work in the following solution. > > > class-map type access-control match-all telblk > match field TCP dest-port eq 22 > > class-map type access-control match-all vlan6 > match field TCP dest-port eq 22 > match field IP source-addr eq 4.8.6.0 mask 0.0.0.255 > > class-map type stack match-all tcp > stack-start l2-start > match field ETHER type eq 0x800 next IP > match field IP protocol eq 6 next TCP > > > policy-map type access-control ssh > class vlan6 > class telblk > drop > > policy-map type access-control tcp > class tcp > service-policy ssh > > control-plane > service-policy type access-control input tcp > > > The following two alternative class-maps also doesn't work > > class-map type access-control match-all telblk > match field ip source-addr range 0.0.0.0 255.255.255.255 > > class-map type access-control match-all telblk > match field ip source-addr 0.0.0.0 mask 255.255.255.255 > > > > > > With regards > Kings > > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
