Switching

Expand all | Collapse all

Creating a VTY ACL

  • 1.  Creating a VTY ACL

    Posted 06-21-2018 11:11

    Hi,  I have an ACL for our VTY lines which we use on cisco and i am trying to create the same for Juniper EX4200 series.  I am having a difficult time and i tried the Juniper IOS to EX conversion, however, i still need the Set commands to make it work. 

     

    Can anyone assist ?

     

    access-list 97 permit ip address

    access-list 97 permit ip address

    access-list 97 permit ip address

    access-list 97 permit ip address

    access-list 97 deny any log

    line vty 0 15

     access-class 97 in

     transport input ssh

     



  • 2.  RE: Creating a VTY ACL

    Posted 06-21-2018 13:50


  • 3.  RE: Creating a VTY ACL

    Posted 06-26-2018 06:54

    Thank You, i tried this but the juniper isnt using a loopback interface.  can i configure just with VTY line ?  I would like to deny based on vty and not interface or loopback.

     

     

    See below is what i have so far.


    set firewall family inet filter local_acl term terminal_access from source-address 10.3.10.0/24;
    set firewall family inet filter local_acl term terminal_access from source-address XX.XX.XX.XX/XX
    set firewall family inet filter local_acl term terminal_access from protocol tcp
    set firewall family inet filter local_acl term terminal_access from port ssh
    set firewall family inet filter local_acl term terminal_access from port telnet
    set firewall family inet filter local_acl term terminal_access then accept
    set firewall family inet filter local_acl term terminal_access_denied from protocol tcp
    set firewall family inet filter local_acl term terminal_access_denied from port ssh
    set firewall family inet filter local_acl term terminal_access_denied from port telnet
    set firewall family inet filter local_acl term terminal_access_denied then log
    set firewall family inet filter local_acl term terminal_access_denied then reject
    set firewall family inet filter local_acl term default-term then accept
    set interfaces lo0 unit 0 family inet filter input local_acl
    set interfaces lo0 unit 0 family inet address XXXXXXXXXXX/XX
    Commit

    [edit]
    user@myhost# edit firewall family inet filter local_acl
    Commit

    [edit firewall family inet filter local_acl]
    user@myhost# set term terminal_access from source-address 192.168.1.0/24
    user@myhost# set term terminal_access from protocol tcp
    user@myhost# set term terminal_access from port ssh
    user@myhost# set term terminal_access from port telnet
    user@myhost# set term terminal_access then accept
    Commit

    [edit firewall family inet filter local_acl]
    user@myhost# set term terminal_access_denied from protocol tcp
    user@myhost# set term terminal_access_denied from port ssh
    user@myhost# set term terminal_access_denied from port telnet
    user@myhost# set term terminal_access_denied then log
    user@myhost# set term terminal_access_denied then reject
    user@myhost# set term default-term then accept
    Commit

    To apply the firewall filter to the loopback interface:
    [edit]
    user@myhost# set interfaces lo0 unit 0 family inet filter input local_acl
    user@myhost# set interfaces lo0 unit 0 family inet address 127.0.0.1/32
    Commit



  • 4.  RE: Creating a VTY ACL

    Posted 06-26-2018 08:32

    VTY lines are a cisco concept.

     

    The loopback interface controls all traffic to the control plane, that includes management, routing protocols, icmp (to the device), etc.

     

    Your approach is correct but you can do it with less terms and therefore less opportunity for mistake by doing the following:

     

    //Discard all SSH/TELNET except from 10.3.10/24

    set firewall filter PROTECT-RE term SSH_TELNET from source-address 10.3.10.0/24 except
    set firewall filter PROTECT-RE term SSH_TELNET from protocol tcp
    set firewall filter PROTECT-RE term SSH_TELNET from destination-port 23
    set firewall filter PROTECT-RE term SSH_TELNET from destination-port 22
    set firewall filter PROTECT-RE term SSH_TELNET then discard
    set firewall filter PROTECT-RE term else then accept

     

    note the "except" keyword.

     

    Also the 127.0.0.1 address on the loopback is not required.

    you can delete the address from the loopback.

     

    family inet filter input can be configured without also configuring an address.

     

    There are additional considerations to make if you are using multiple routing-instances and multiple loopback interfaces.

    Also when modifying the loopback interface filter, I suggest you do a commit confirmed since there is a possibility to break management access.



  • 5.  RE: Creating a VTY ACL

     
    Posted 06-30-2018 11:14

    Hi Folks,

    Just thought of sharing some interested terms you can add in loopback filter….

     

    PERMIT_RSVP

    PERMIT_PIM

    PERMIT_OSPF

    PERMIT_VRRP

    PERMIT_FRAGMENT

    PERMIT_BGP

    PERMIT_LDP

    PERMIT_SSH

    PERMIT_NTP

    PERMIT_SNMP

    PERMIT_RIP

    PERMIT_RSVP

    PERMIT_TRACEROUTE

    PERMIT_LSP_PING

    PERMIT_ICMP

    PERMIT_TACACS

    PERMIT_BFD

    PERMIT_MCAST

    PERMIT_IGMP

    PERMIT_FTP

    PERMIT_SCP

    DENY_OTHERS



  • 6.  RE: Creating a VTY ACL

    Posted 06-30-2018 12:32

    Hi,

     

    You can use Cisco to Juniper CLI converter to convert the IOS config:

     

    IOS-to-JUNOS (I2J) Conversion Tool - Tool Fact Sheet

     

    IOS TO JUNOS TRANSLATOR

     

    Below is your converted config in Junos:

     


    system { login { class superuser { idle-timeout 10; } } services { telnet; } } interfaces { lo0 { unit 0 { family inet { filter { input 97-VTY; } } } } } firewall { family { inet { filter 97-VTY { term T1 { from { protocol tcp; destination-port [ telnet ssh ]; } then { discard; log; } } term T2 { then { accept; } } } } } }

     

    [KUDOS PLEASE! If you think I earned it!

    If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]



  • 7.  RE: Creating a VTY ACL

    Posted 07-01-2018 05:21

    Hi Nsylaj

     

    You can use the below example to allow only certain IPs to ssh to the device. 

     

    root@QFX#run show firewall

    Filter: __default_bpdu_filter__

    Filter: VTYACL
    Counters:
    Name Bytes Packets
    VTYACL 3360 24

     

    {master:0}[edit]
    root@QFX# show firewall filter VTYACL | display set
    set firewall filter VTYACL term TERM1 from source-address 172.29.238.86/32
    set firewall filter VTYACL term TERM1 from destination-address 10.219.42.218/32
    set firewall filter VTYACL term TERM1 from protocol tcp
    set firewall filter VTYACL term TERM1 from destination-port ssh
    set firewall filter VTYACL term TERM1 then count VTYACL
    set firewall filter VTYACL term TERM1 then log
    set firewall filter VTYACL term TERM1 then accept
    set firewall filter VTYACL term TERM2 then accept

    {master:0}[edit]

    root@QFX# show interfaces lo0 | display set
    set interfaces lo0 unit 0 family inet filter input VTYACL
    set interfaces lo0 unit 0 family inet address 172.16.1.2/32

    {master:0}[edit]
    root@QFX#