Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Restrict SSH to VPN controller

This thread has been viewed 3 times

  • 1.  Restrict SSH to VPN controller

    Posted Apr 07, 2017 11:23 AM

    Need help.  AOS 6.5.x 7210 VPN controlelr and 7220 Hub controller.   Master/Master.

     

    I am trying to restrict users from SSH to my VPN controller both users on the remote controller and users from the Hub location.   I want a basic ACL to restrict this access inbound on the user interfaces of the 7210 VPN controller and on the Crypto-local map to restrict the users coming from the Hub controller.  In both cases I get errors.  VPN tunnel and ports are all trusted.  I know if I make it untrusted i can apply this but how could I secure with a trusted port?   

     

    (VPN-LAB-Controller) (config-dest) # ip access-list session Aruba-VPN-Controller-Security
    (VPN-LAB-Controller) (config-sess-Aruba-VPN-Controller-Security)# any alias Aruba-VPN-Controllers svc-ssh deny
    (VPN-LAB-Controller) (config-sess-Aruba-VPN-Controller-Security)# any alias Aruba-VPN-Controllers svc-snmp deny
    (VPN-LAB-Controller) (config-sess-Aruba-VPN-Controller-Security)# any alias Aruba-VPN-Controllers svc-ntp deny
    (VPN-LAB-Controller) (config-sess-Aruba-VPN-Controller-Security)# any any any permit
    (VPN-LAB-Controller) (config-sess-Aruba-VPN-Controller-Security)#exit

     

    (VPN-LAB-Controller) (config-dest) #netdestination Aruba-VPN-Controllers
    (VPN-LAB-Controller) (config-dest) # network 10.50.124.0 255.255.254.0

     

     


    (VPN-LAB-Controller) (config) #interface range gigabitethernet 0/0/0-0/10

    (VPN-LAB-Controller) (config-range) # ip access-group Aruba-VPN-Controller-Security in
    Invalid Access List Usage


    (VPN-LAB-Controller) (config-range) #ip access-group Aruba-VPN-Controller-Security session
    Illegal Operation: Interface is untrusted



  • 2.  RE: Restrict SSH to VPN controller

    Posted Apr 07, 2017 12:59 PM
    Is that a port-channel ?

    If it is try applying it directly to the port-channel instead

    Get Outlook for iOS


  • 3.  RE: Restrict SSH to VPN controller

    Posted Apr 07, 2017 12:59 PM
    Is that a port-channel ?

    If it is try applying it directly to the port-channel instead

    Get Outlook for iOS


  • 4.  RE: Restrict SSH to VPN controller

    Posted Apr 07, 2017 01:04 PM 
     

    No its just a standard interface.  7210 has 16 ports I will use as trusted user ports and I want to prevent them from getting SSH to the controller as an example.

     



  • 5.  RE: Restrict SSH to VPN controller

    Posted Apr 07, 2017 01:07 PM
    Try applying the acl on each individual port rather that using a range command



    Get Outlook for iOS


  • 6.  RE: Restrict SSH to VPN controller
    Best Answer

    Posted Apr 07, 2017 01:07 PM
    Try applying the acl on each individual port rather that using a range command



    Get Outlook for iOS


  • 7.  RE: Restrict SSH to VPN controller

    Posted Apr 07, 2017 01:24 PM

    That worked with a session ACL  thanks.

     

    (VPN-LAB-Controller) (config) #interface gigabitethernet 0/0/1 

    (VPN-LAB-Controller) (config-if)#ip access-group Aruba-VPN-Controller-Security session
    (VPN-LAB-Controller) (config-if)#exit