Network zones with access profiles?


I am attempting to convert telnet/ssh access-profiles from dynamic acls to a static acl with network zones, but when I switch telnet to use this acl, it refuses connections that should be allowed.

Experimenting, it appears that access-profiles don't work with network zones; when I replace the source-zone with the corresponding source-address directives, it works.

X460-24t 16.1.3.6

With network zone (example simplified, the real one contains multiple networks and addresses):
configure access-list network-zone trusted-networks add ipaddress x.x.x.145 255.255.255.255

entry permit-trusted-networks {
if match any {
source-zone trusted-networks;
} then {
permit;
}
}

Connection refused[/code]With source-address:
entry permit-trusted-networks {
if match any {
source-address x.x.x.145/32;
} then {
permit;
}
}

telnet session telnet4 on /dev/ptyb4

Unauthorized access prohibited!

login: Login timed out![/code]

2 replies

Userlevel 6
Hi Dave,

Welcome to the Hub....

I could see this limitation for SSH access profile, i believe this could be applicable for telnet access profile as well.
"Only source-address match is supported"

you can take a look at this article for more help on the same.
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-restrict-telnet-access
This is unfortunate. I also discovered I can't use the same policy file with telnet/ssh/snmp and with ingress/egress (which is what led me to use network-zones in the first place), so I'll have multiple places to update if the address list changes, instead of just one.

Reply