Just a simple one today.
You have users that connect to some type of access device - perhaps a network perimeter device that allows access to more internal equipment. Different users have different permissions as to what they should be accessing internally. How do you selectively give those users access to telnet or SSH to certain internal IPs?
Let's say your internal boxes are 172.16.0.0/16:
172.16.1.0/24 = Development
172.16.2.0/24 = Network Infrastructure
172.16.3.0/24 = Linux Production Servers
user1 should have access to Development (172.16.1.0/24) and Linux Production (172.16.3.0/24).
user2 should have access to Network Infrastructure (172.16.2.0/24).
user3 should have access to everything.
access-list 171 deny ip any 172.16.2.0 0.0.0.255
access-list 171 permit ip any 172.16.0.0 0.0.255.255
access-list 172 permit ip any 172.16.2.0 0.0.0.255
username user1 access-class 171 password 0 cisco
username user2 access-class 172 password 0 cisco
username user3 password 0 cisco
Let's test user 1...
User Access Verification
Username: user1
Password:
R2>telnet 172.16.2.100
Trying 172.16.2.100 ...
% Connections to that host not permitted from this terminal
R2>telnet 172.16.1.100
Trying 172.16.1.100 ... Open
User Access Verification
Username:
As expected, we can get out to 1.100, but not to 2.100.
What about user2?
User Access Verification
Username: user2
Password:
R2>telnet 172.16.1.100
Trying 172.16.1.100 ...
% Connections to that host not permitted from this terminal
R2>telnet 172.16.2.100
Trying 172.16.2.100 ... Open
User Access Verification
Username:
No on 1.100, but yes on 2.100.
I'm not going to show user3, but lacking an access-class means it can reach anything.
No comments:
Post a Comment