Wireless Access

Reply
Regular Contributor I

Restrict SSH to VPN controller

Need help.  AOS 6.5.x 7210 VPN controlelr and 7220 Hub controller.   Master/Master.

 

I am trying to restrict users from SSH to my VPN controller both users on the remote controller and users from the Hub location.   I want a basic ACL to restrict this access inbound on the user interfaces of the 7210 VPN controller and on the Crypto-local map to restrict the users coming from the Hub controller.  In both cases I get errors.  VPN tunnel and ports are all trusted.  I know if I make it untrusted i can apply this but how could I secure with a trusted port?   

 

(VPN-LAB-Controller) (config-dest) # ip access-list session Aruba-VPN-Controller-Security
(VPN-LAB-Controller) (config-sess-Aruba-VPN-Controller-Security)# any alias Aruba-VPN-Controllers svc-ssh deny
(VPN-LAB-Controller) (config-sess-Aruba-VPN-Controller-Security)# any alias Aruba-VPN-Controllers svc-snmp deny
(VPN-LAB-Controller) (config-sess-Aruba-VPN-Controller-Security)# any alias Aruba-VPN-Controllers svc-ntp deny
(VPN-LAB-Controller) (config-sess-Aruba-VPN-Controller-Security)# any any any permit
(VPN-LAB-Controller) (config-sess-Aruba-VPN-Controller-Security)#exit

 

(VPN-LAB-Controller) (config-dest) #netdestination Aruba-VPN-Controllers
(VPN-LAB-Controller) (config-dest) # network 10.50.124.0 255.255.254.0

 

 


(VPN-LAB-Controller) (config) #interface range gigabitethernet 0/0/0-0/10

(VPN-LAB-Controller) (config-range) # ip access-group Aruba-VPN-Controller-Security in
Invalid Access List Usage


(VPN-LAB-Controller) (config-range) #ip access-group Aruba-VPN-Controller-Security session
Illegal Operation: Interface is untrusted

Re: Restrict SSH to VPN controller

Is that a port-channel ?

If it is try applying it directly to the port-channel instead

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: Restrict SSH to VPN controller

Is that a port-channel ?

If it is try applying it directly to the port-channel instead

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Regular Contributor I

Re: Restrict SSH to VPN controller

 

No its just a standard interface.  7210 has 16 ports I will use as trusted user ports and I want to prevent them from getting SSH to the controller as an example.

 

Re: Restrict SSH to VPN controller

Try applying the acl on each individual port rather that using a range command



Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: Restrict SSH to VPN controller

Try applying the acl on each individual port rather that using a range command



Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Regular Contributor I

Re: Restrict SSH to VPN controller

That worked with a session ACL  thanks.

 

(VPN-LAB-Controller) (config) #interface gigabitethernet 0/0/1 

(VPN-LAB-Controller) (config-if)#ip access-group Aruba-VPN-Controller-Security session
(VPN-LAB-Controller) (config-if)#exit

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: