CH A P T E R

Enabling Remote Access to the ACE

This chapter describes how to configure remote access to the Cisco Application Control Engine (ACE) module by establishing a remote connection using the Secure Shell (SSH) or Telnet protocols. It also describes how to configure the ACE to provide direct access to a user context from SSH. This chapter also covers how to configure the ACE to receive ICMP messages from a host. This chapter includes the following major sections:

Remote Access Configuration Quick Start Configuring Remote Network Management Traffic Services Configuring Telnet Management Sessions Configuring SSH Management Sessions Terminating an Active User Session Enabling ICMP Messages To the ACE Directly Accessing a User Context Through SSH Viewing Session Information Making a direct connection using a dedicated terminal attached to the Console port on the front of the ACE. Configuring terminal display attributes. Configuring terminal line settings for accessing the ACE by console or virtual terminal connection.

Refer to Chapter 1, Setting Up the ACE for details on:

Cisco Application Control Engine Module Administration Guide OL-9373-01

2-1

Chapter 2 Remote Access Configuration Quick Start

Enabling Remote Access to the ACE

Remote Access Configuration Quick Start

Table 2-1 provides a quick overview of the steps required to configure remote network management access for the ACE. Each step includes the CLI command required to complete the task.
Table 2-1 Remote Network Management Configuration Quick Start

Task and Command Example

1.

If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context. If necessary, log directly in to, or change to, the correct context.
host1/Admin# changeto C1 host1/C1#

The rest of the examples in this table use the Admin context for illustration purposes, unless otherwise specified. For details on creating contexts, refer to the Cisco Application Control Engine Module Virtualization Configuration Guide.
2.

Enter configuration mode.

host1/Admin# config Enter configuration commands, one per line. End with CNTL/Z host1/Admin(config)#

3.

Create a class map that permits network management traffic to be received by the ACE based on the network management protocol (SSH, Telnet) and client source IP address.
host1/Admin(config)# class-map type management match-all SSH-ALLOW_CLASS host1/Admin(config-cmap-mgmt)# match protocol ssh source-address 172.16.10.0 255.255.255.254 host1/Admin(config-cmap-mgmt)# exit host1/Admin(config)# host1/Admin(config)# class-map type management match-all TELNET-ALLOW_CLASS host1/Admin(config-cmap-mgmt)# match protocol telnet source-address 172.16.10.0 255.255.255.254 host1/Admin(config-cmap-mgmt)# exit host1/Admin(config)#

Cisco Application Control Engine Module Administration Guide

2-2

OL-9373-01

Chapter 2

Enabling Remote Access to the ACE Remote Access Configuration Quick Start

Table 2-1

Remote Network Management Configuration Quick Start (continued)

Task and Command Example

4.

Configure a policy map that activates the SSH and Telnet management protocol classifications.
host1/Admin(config)# policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY host1/Admin(config-pmap-mgmt)# class SSH-ALLOW_CLASS host1/Admin(config-pmap-mgmt-c)# permit host1/Admin(config-pmap-mgmt-c)# exit host1/Admin(config-pmap-mgmt)# class TELNET-ALLOW_CLASS host1/Admin(config-pmap-mgmt-c)# permit host1/Admin(config-pmap-mgmt-c)# exit host1/Admin(config-pmap-mgmt)# exit host1/Admin(config)#

5.

Attach the traffic policy to a single VLAN interface or globally to all VLAN interfaces in the same context. For example, to specify an interface VLAN and apply the remote management policy map to the VLAN, enter:
host1/Admin(config)# interface vlan 50 host1/Admin(config-if)# ip address 172.16.1.100 255.255.0.0 host1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY host1/Admin(config-if)# exit

6.

(Optional) Configure the maximum number of Telnet sessions allowed for each context.
host1/Admin(config)# telnet maxsessions 3

7.

(Optional) Configure the maximum number of SSH sessions allowed for each context.
host1/Admin(config)# ssh maxsessions 3

Cisco Application Control Engine Module Administration Guide OL-9373-01

2-3

Chapter 2 Remote Access Configuration Quick Start

Enabling Remote Access to the ACE

Table 2-1

Remote Network Management Configuration Quick Start (continued)

Task and Command Example

8.

For users with global administrator privileges, use the ssh key command to generate the SSH private key and the corresponding public key for use by the SSH server. There is only one host-key pair. For example, to generate an RSA1 key pair in the Admin context, enter:
host1/Admin(config)# ssh key rsa1 1024 generating rsa1 key ..... generated rsa1 key

9.

(Optional) If necessary, save your configuration changes to Flash memory.

host1/Admin(config)# exit host1/Admin# copy running-config startup-config

Cisco Application Control Engine Module Administration Guide

2-4

OL-9373-01

Chapter 2

Enabling Remote Access to the ACE Configuring Remote Network Management Traffic Services

Configuring Remote Network Management Traffic Services

You configure rules for remote access to the ACE through the use of class maps, policy maps, and service policies. The following items summarize the role of each function in configuring remote network management access to the ACE:

Class mapProvides the remote network traffic match criteria to permit traffic based on:
Remote access network management protocols (SSH, Telnet, ICMP) Client source IP address

Policy mapEnables remote network management access for a traffic classification that matches the criteria listed in the class map. Service policyActivates the policy map, attaches the traffic policy to an interface or globally on all interfaces.

This section provides an overview on creating a class map, policy map, and service policy for remote network access. For detailed information on creating class maps, policy maps, and service policies, refer to Chapter 4, Configuring Class Maps and Policy Maps. Telnet and SSH remote access sessions are established to the ACE on a per context basis. For details on creating users and contexts, refer to the Cisco Application Control Engine Module Virtualization Configuration Guide. This section includes the following topics:

Creating and Configuring a Remote Management Class Map Creating a Layer 3 and Layer 4 Remote Access Policy Map Applying a Service Policy

Cisco Application Control Engine Module Administration Guide OL-9373-01

2-5

Chapter 2 Configuring Remote Network Management Traffic Services

Enabling Remote Access to the ACE

Creating and Configuring a Remote Management Class Map

To create a Layer 3 and Layer 4 class map to classify the remote network management traffic received by the ACE, use the class-map type management configuration command. This command permits network management traffic to be received by the ACE by identifying the incoming IP protocols that the ACE can receive as well as the client source IP address and subnet mask as the matching criteria. A class map of type management defines the allowed network traffic as a form of management security for protocols such as SSH, Telnet, and ICMP. There can be multiple match commands in a class map. You can configure class maps to define multiple management protocol and source IP address match commands in a group that you then associate with a traffic policy. The match-all and match-any keywords determine how the ACE evaluates multiple match statements operations when multiple match criteria exist in a class map. The syntax of this command is: class-map type management [match-all | match-any] map_name The keywords, arguments, and options are:

match-all | match-any(Optional) Determines how the ACE evaluates Layer 3 and Layer 4 network management traffic when multiple match criteria exist in a class map. The class map is considered a match if the match commands meet one of the following conditions.
match-all All of the match criteria listed in the class map are satisfied

to match the network traffic class in the class map, typically match commands of the same type.
match-anyAny one of the match criteria listed in the class map is

satisfied to match the network traffic class in the class map, typically match commands of different types. The default setting is to meet all of the match criteria (match-all) in a class map.

map_nameSpecifies the name assigned to the class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

Cisco Application Control Engine Module Administration Guide

2-6

OL-9373-01

Chapter 2

Enabling Remote Access to the ACE Configuring Remote Network Management Traffic Services

The CLI enters the class map management configuration mode. To classify the remote network management traffic received by the ACE, include one or more of the associated commands to configure the match criteria for the class map:

descriptionSee Defining a Class Map Description match protocolSee Defining Remote Network Management Protocol Match Criteria

You may include multiple match protocol commands in a class map. For example, to allow SSH and Telnet access to the ACE from IP address 172.16.10.0, enter:
host1/Admin(config)# class-map SSH-TELNET_ALLOW_CLASS host1/Admin(config-cmap-mgmt)# 172.16.10.0 255.255.255.254 host1/Admin(config-cmap-mgmt)# 172.16.10.0 255.255.255.254 host1/Admin(config-cmap-mgmt)# host1/Admin(config)# type management match-all match protocol ssh source-address match protocol telnet source-address exit

To remove a Layer 3 and Layer 4 network management class map from the ACE, enter:
host1/Admin(config)# no class-map type management match-all SSH-TELNET_ALLOW_CLASS

Cisco Application Control Engine Module Administration Guide OL-9373-01

2-7

Chapter 2 Configuring Remote Network Management Traffic Services

Enabling Remote Access to the ACE

Defining a Class Map Description

Use the description command to provide a brief summary about the Layer 3 and Layer 4 remote management class map. Access the class map configuration mode to specify the description command. The syntax of this command is: description text Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters. For example, to specify a description that the class map is to allow remote Telnet access, enter:
host1/Admin(config)# class-map type management TELNET-ALLOW_CLASS host1/Admin(config-cmap-mgmt)# description Allow Telnet access to the ACE

To remove the description from the class map, enter:

host1/Admin(config-cmap-mgmt)# no description

Defining Remote Network Management Protocol Match Criteria

Use the match protocol command to configure the class map to identify the remote network access management protocols that can be received by the ACE. You configure the associated policy map to permit access to the ACE for the specified management protocols. As part of the network management access traffic classification, you also specify either a client source host IP address and subnet mask as the matching criteria or instruct the ACE to allow any client source address for the management traffic classification. Access the class map configuration mode to specify the match protocol command.

Cisco Application Control Engine Module Administration Guide

2-8

OL-9373-01

Chapter 2

Enabling Remote Access to the ACE Configuring Remote Network Management Traffic Services

The syntax of this command is: [line_number] match protocol {http | https | icmp | snmp | ssh | telnet} {any | source-address ip_address mask}

line_number(Optional) Assists you in editing or deleting individual match commands. Enter an integer from 2 to 255 as the line number. You can enter no line_number to delete long match commands instead of entering the entire line. The line numbers do not dictate a priority or sequence for the match statements. httpSpecifies the Hypertext Transfer Protocol (HTTP). The configuration of the HTTP management protocol is covered in Chapter 9, Configuring the XML Interface. httpsSpecifies the secure (SSL) Hypertext Transfer Protocol (HTTP). The configuration of the HTTPS management protocol is covered in Chapter 9, Configuring the XML Interface. icmpSpecifies Internet Control Message Protocol messages to the ACE. The configuration of the ICMP management protocol is covered in this chapter. snmpSpecifies the Simple Network Management Protocol (SNMP). The configuration of the SNMP management protocol is covered in Chapter 8, Configuring SNMP. sshSpecifies a Secure Shell (SSH) remote connection to the ACE. The ACE supports the SSH remote shell functionality provided in SSH Version 1 and supports DES and 3DES ciphers. The configuration of the SSH management protocol is covered in this chapter. SSH v1.x and v2 are entirely different protocols and are not compatible. Make sure that you use an SSH v1.x client when accessing the ACE.

Note

telnetSpecifies a Telnet remote connection to the ACE. The configuration of the Telnet management protocol is covered in this chapter. anySpecifies any client source address for the management traffic classification.

Cisco Application Control Engine Module Administration Guide OL-9373-01

2-9

Chapter 2 Configuring Remote Network Management Traffic Services

Enabling Remote Access to the ACE

source-addressSpecifies a client source host IP address and subnet mask as the network traffic matching criteria. As part of the classification, the ACE implicitly obtains the destination IP address from the interface on which you apply the policy map. ip_addressSource IP address of the client. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1). maskThe subnet mask of the client in dotted-decimal notation (for example, 255.255.255.0).

For example, to specify that the class map allows SSH access to the ACE, enter:
host1/Admin(config)# class-map type management SSH-ALLOW_CLASS host1/Admin(config-cmap-mgmt)# match protocol ssh source-address 172.16.10.0 255.255.255.254

To deselect the specified network management protocol match criteria from the class map, enter:
host1/Admin(config-cmap-mgmt)# no match protocol ssh source-address 172.16.10.0 255.255.255.254

Creating a Layer 3 and Layer 4 Remote Access Policy Map

The following procedure outlines the general steps to configure a Layer 3 and Layer 4 policy map that defines the actions executed on remote network management traffic that match the specified classifications.
1.

Use the policy-map type management configuration command to configure a Layer 3 and Layer 4 policy map that permits the ACE to receive the specified remote management protocols. The ACE executes the action for the first matching classification. The syntax of this command is: policy-map type management first-match map_name The map_name argument specifies the name assigned to the Layer 3 and Layer 4 network management policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. The CLI The CLI enters the policy map management configuration mode.

Cisco Application Control Engine Module Administration Guide

2-10

OL-9373-01

Chapter 2

Enabling Remote Access to the ACE Configuring Remote Network Management Traffic Services

For example, to create a Layer 3 and Layer 4 network traffic management policy map, enter:
host1/Admin(config) #policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY host1/Admin(config-pmap-mgmt) #

To remove a policy map from the ACE, enter:

host1/Admin(config) #no policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

2.

If desired, use the description command to provide a brief summary about the Layer 3 and Layer 4 remote management policy map. The syntax of this command is: description text Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters. For example, to specify a description that the policy map is to allow remote Telnet access, enter:
host1/Admin(config-pmap-mgmt)# description Allow Telnet access to the ACE

To remove a description from the policy map, enter:

host1/Admin(config-pmap-mgmt)# no description

3.

To specify a traffic class created with the class-map command to associate network traffic with the traffic policy, use the class command. The syntax of this command is: class map_name The map_name argument specifies the name of a previously defined traffic class, configured with the class-map command, to associate traffic to the traffic policy. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. The CLI enters the policy map management class configuration mode.

Cisco Application Control Engine Module Administration Guide OL-9373-01

2-11

Chapter 2 Configuring Remote Network Management Traffic Services

Enabling Remote Access to the ACE

For example, to specify an existing class map within the Layer 3 and Layer 4 remote access policy map, enter:
host1/Admin(config-pmap-mgmt)# class L4_REMOTE_ACCESS_CLASS host1/Admin(config-pmap-mgmt-c)#

To remove a class map from a Layer 3 and Layer 4 policy map, enter:
host1/Admin(config-pmap-mgmt)# no class L4_REMOTE_ACCESS_CLASS

4.

To manually insert a class map ahead of a previously specified class map, use the insert-before command. The ACE does not save sequence reordering through the insert-before command as part of the configuration. The syntax of this command is: class map_name1 insert-before map_name2 The arguments are:
class map_name1Specifies the name of a previously defined traffic

class configured with the class-map command. Enter an unquoted text string with no spaces and a maximum of 64 characters.
insert-before map_name2Places the current class map ahead of an

existing class map as specified by the map_name2 argument. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. For example, to use the insert-before command to define the sequential order of two class maps in the policy map, enter:
host1/Admin(config-pmap-c)# class L4_SSH_CLASS insert-before L4_REMOTE_ACCESS_CLASS

5.

To specify the class-default class map for the Layer 3 and Layer 4 traffic policy, use the class class-default command. All network traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications match, the ACE then matches the action specified under the class class-default command. The class-default. class map has an implicit match any statement in it such that it matches all traffic. For example, to use the class class-default command, enter:
host1/Admin(config-pmap)# class class-default host1/Admin(config-pmap-c)#

The CLI enters the policy map class configuration mode.

Cisco Application Control Engine Module Administration Guide

2-12

OL-9373-01

Chapter 2

Enabling Remote Access to the ACE Configuring Remote Network Management Traffic Services

6.

Specify the actions you want to apply to the Layer 3 and Layer 4 user-defined class map and, if appropriate, to the default class map. See the Defining Management Traffic Policy Actions section to define the different Layer 3 and Layer 4 network traffic polices and associated actions. For example, to specify a traffic management action for the Layer 3 and Layer 4 policy map, enter:
host1/Admin(config) #policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY host1/Admin(config-pmap-mgmt)# class SSH-ALLOW_CLASS host1/Admin(config-pmap-mgmt-c)# permit host1/Admin(config-pmap-mgmt-c)# exit host1/Admin(config-pmap-mgmt)# class TELNET-ALLOW_CLASS host1/Admin(config-pmap-mgmt-c) #permit

Defining Management Traffic Policy Actions

Use the permit command in policy map class configuration mode to permit the remote network management protocols listed in the class map to be received by the ACE. The syntax of this command is: permit Use the deny command in policy map class configuration mode to deny the remote network management protocols listed in the class map to be received by the ACE. The syntax of this command is: deny

Cisco Application Control Engine Module Administration Guide OL-9373-01

2-13

Chapter 2 Configuring Remote Network Management Traffic Services

Enabling Remote Access to the ACE

For example, to create a Layer 3 and Layer 4 remote network traffic management policy map that permits SSH, Telnet, and ICMP connections to be received by the ACE, enter:
host1/Admin(config) #policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY host1/Admin(config-pmap-mgmt)# class SSH-ALLOW_CLASS host1/Admin(config-pmap-mgmt-c) #permit host1/Admin(config-pmap-mgmt-c)# exit host1/Admin(config-pmap-mgmt)# class TELNET-ALLOW_CLASS host1/Admin(config-pmap-mgmt-c) #permit host1/Admin(config-pmap-mgmt-c)# exit host1/Admin(config-pmap-mgmt)# class ICMP-ALLOW_CLASS host1/Admin(config-pmap-mgmt-c) #permit host1/Admin(config-pmap-mgmt-c)# exit

For example, to create a policy map that restricts an ICMP connection by the ACE, enter:
host1/Admin(config) #policy-map type management first-action ICMP_RESTRICT_POLICY host1/Admin(config-pmap-mgmt)# class ICMP-ALLOW_CLASS host1/Admin(config-pmap-mgmt-c)# deny

Applying a Service Policy

Use the service-policy command to:

Apply a previously created policy map. Attach the traffic policy to a specific VLAN interface or globally to all VLAN interfaces in the same context. Specify that the traffic policy is to be attached to the input direction of an interface.

The service-policy command is available at both the interface configuration mode and at the configuration mode. Specifying a policy map in the interface configuration mode applies the polciy map to a specific VLAN interface. Specifying a policy map in the configuration mode applies the policy to all of the VLAN interfaces associated with a context. The syntax of this command is: service-policy input policy_name

Cisco Application Control Engine Module Administration Guide

2-14

OL-9373-01

Chapter 2

Enabling Remote Access to the ACE Configuring Remote Network Management Traffic Services

The keywords, arguments, and options are:

inputSpecifies that the traffic policy is to be attached to the input direction of an interface. The traffic policy evaluates all traffic received by that interface. policy_nameSpecifies the name of a previously defined policy map, configured with a previously created policy-map command. The name can be a maximum of 40 alphanumeric characters.

For example, to specify an interface VLAN and apply the remote access policy map to a VLAN, enter:
host1/Admin(config)# interface vlan 50 host1/Admin(config-if)# ip address 172.16.1.100 255.255.0.0 host1/Admin(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY

For example, to globally apply the remote access policy map to all of the VLANs associated with a context, enter:
host1/Admin(config)# service-policy input REMOTE_MGMT_ALLOW_POLICY

To detach the remote access traffic policy from an interface, enter:

host1/Admin(config-if)# no service-policy input REMOTE_MGMT_ALLOW_POLICY

To globally detach the remote access traffic policy from all VLANs associated with a context, enter:
host1/Admin(config)# no service-policy input REMOTE_MGMT_ALLOW_POLICY

When you detach a traffic policy either:

Individually from the last VLAN interface on which you applied the service policy Globally from all VLAN interfaces in the same context

the ACE automatically resets the associated service policy statistics. The ACE performs this action to provide a new starting point for the service policy statistics the next time you attach a traffic policy to a specific VLAN interface or globally to all VLAN interfaces in the same context.

Cisco Application Control Engine Module Administration Guide OL-9373-01

2-15

Chapter 2 Configuring Remote Network Management Traffic Services

Enabling Remote Access to the ACE

Note the following when creating a service policy:

Policy maps, applied globally in a context, are internally applied on all interfaces existing in the context. A policy activated on an interface overwrites any specified global policies for overlapping classification and actions The ACE allows only one policy of a specific feature type to be activated on a given interface.

To display service policy statistics for a Layer 3 and Layer 4 remote network traffic management policy map, use the show service-policy command in Exec mode. The syntax of this command is: show service-policy policy_name [detail] The keywords, options, and arguments are as follows:

policy_nameThe identifier of an existing policy map that is currently in service (applied to an interface) as an unquoted text string with a maximum of 64 alphanumeric characters. detail(Optional) Displays a more detailed listing of policy map statistics and status information.

Note

The ACE updates the counters that the show service-policy command displays after the applicable connections are closed. For example, to display service policy statistics for the REMOTE_MGMT_ALLOW_POLICY policy map, enter:
host1/Admin# show service-policy REMOTE_MGMT_ALLOW_POLICY Status : ACTIVE Description: Allow mgmt protocols ----------------------------------------Context Global Policy: service-policy: REMOTE_MGMT_ALLOW_POLICY

To clear the service policy statistics, use the clear service-policy command. The syntax of this command is: clear service-policy policy_name

Cisco Application Control Engine Module Administration Guide

2-16

OL-9373-01

Chapter 2

Enabling Remote Access to the ACE Configuring Telnet Management Sessions

For the policy_name argument, enter the identifier of an existing policy map that is currently in service (applied to an interface). For example, to clear the statistics for the policy map REMOTE_MGMT_ALLOW_POLICY that is currently in service, enter:
host1/Admin# clear service-policy REMOTE_MGMT_ALLOW_POLICY

Configuring Telnet Management Sessions

The ACE supports the following maximum number of concurrent Telnet management sessions:

Four concurrent Telnet management sessions for each user context Sixteen concurrent Telnet management sessions for the Admin context

Use the telnet maxsessions command in configuration mode to control the maximum number of Telnet sessions allowed for each context. The ACE supports a total maximum of 256 concurrent Telnet sessions. Telnet remote access sessions are established on the ACE on a per context basis. You can create a context, assign an interface and IP address to it, and then log into the ACE by Telneting to that IP address. This capability allows you to specify a particular context when accessing the ACE. For details on creating users and contexts, refer to the Cisco Application Control Engine Module Virtualization Configuration Guide. The syntax of this command is: telnet maxsessions max_sessions The max_sessions argument sets the maximum number of concurrent Telnet sessions allowed for the associated context. The range is 1 to 4 Telnet sessions per user context; 1 to 16 Telnet sessions for the Admin context. The defaults are 4 (user context) and 16 (Admin context). For example, to configure the maximum number of concurrent Telnet sessions to 3 in the Admin context, enter:
host1/Admin(config)# telnet maxsessions 3

To revert to the default of 16 Telnet sessions for the Admin context, enter:
host1/Admin(config)# no telnet maxsessions

Cisco Application Control Engine Module Administration Guide OL-9373-01

2-17

Chapter 2 Configuring SSH Management Sessions

Enabling Remote Access to the ACE

Configuring SSH Management Sessions

This section includes the following topics:

Configuring Maximum Number of SSH Sessions Generating SSH Host Key Pairs

SSH remote access sessions are established on the ACE on a per context basis. You can create a context, assign an interface and IP address to it, and then log into the ACE by using specifying an SSH session to that IP address. This capability allows you to specify a particular context when accessing the ACE. For details on creating users and contexts, refer to the Cisco Application Control Engine Module Virtualization Configuration Guide.

Configuring Maximum Number of SSH Sessions

The ACE supports the following maximum number of concurrent SSH management sessions:

Four concurrent SSH management sessions for each user context Sixteen concurrent SSH management sessions for the Admin context

Use the ssh maxsessions command in configuration mode to control the maximum number of SSH sessions allowed for each context. The ACE supports a total maximum of 256 concurrent SSH sessions. The syntax of this command is: ssh maxsessions max_sessions The max_sessions argument sets the maximum number of concurrent SSH sessions allowed for the associated context. The range is 1 to 4 SSH sessions per user context; 1 to 16 SSH sessions for the Admin context. The defaults are 4 (user context) and 16 (Admin context). For example, to configure the maximum number of concurrent SSH sessions in the Admin context to 3, enter:
host1/Admin(config)# ssh maxsessions 3

To revert to the default of 16 Telnet sessions for the Admin context, enter:
host1/Admin(config)# no ssh maxsessions

Cisco Application Control Engine Module Administration Guide

2-18

OL-9373-01

Chapter 2

Enabling Remote Access to the ACE Configuring SSH Management Sessions

Generating SSH Host Key Pairs

The ACE supports remote login over an SSH session that uses private and public key pairs to perform authentication for the context. DSA and RSA keys are generated in pairsone public key and one private key. With this method of remote connection, use a generated private and public key pair to participate in a secure communication by encrypting and decrypting messages. The global administrator performs the key generation in the Admin context. All contexts associated with the ACE share the common key. There is only a single host-key pair.

Note

If you are the administrator or another user authorized in the Admin context, use the changeto command in exec mode to move to the Admin context. An administrator can perform all allowable functions within the Admin context. Ensure that you have an SSH host key pair with the appropriate version before enabling the SSH service. The SSH service accepts three types of key pairs for use by SSH versions 1 and 2. Generate the SSH host key pair according to the SSH client version used. The number of bits specified for each key pair ranges from 768 to 4096. Use the ssh key command in configuration mode to generate the SSH private key and the corresponding public key for use by the SSH server. The syntax of this command is: ssh key {dsa | rsa | rsa1} [bits [force]] The arguments, keywords, and options are:

dsaGenerates the DSA key pair for the SSH version 2 protocol. rsaGenerates the RSA key pair for the SSH version 2 protocol. rsa1Generates the RSA1 key pair for the SSH version 1 protocol. bits(Optional) Specifies the number of bits for the key pair. For DSA, the range is from 768 to 2048. For RSA and RSA1, the range is from 768 to 4096. The greater the number of bits you specify, the longer it takes to generate the key. The default is 768.

Cisco Application Control Engine Module Administration Guide OL-9373-01

2-19

Chapter 2 Configuring SSH Management Sessions

Enabling Remote Access to the ACE

force(Optional) Forces the generation of a DSA or RSA key even when previous keys exist. If the SSH key pair option is already generated for the required version, use the force option to overwrite the previously generated key pair.

Before you generate the key, set the host name and the domain name. These two settings are used in the key. Refer to Chapter 1, Setting Up the ACE, for details on setting a hostname and to the Cisco Application Control Engine Module Virtualization Configuration Guide for details on configuring a domain. For example, to generate an RSA1 key pair in the Admin context, enter:
host1/Admin(config)# ssh key rsa1 1024 generating rsa1 key ..... generated rsa1 key

To remove the SSH host key pair, enter:

host1/Admin(config)# no ssh key rsa1

To clear the public keys of all trusted hosts, use the clear ssh hosts Exec command. These keys are either sent to an SSH client by an SSH server or are entered manually. When a SSH connection is made from the ACE, the SSH client receives the public key and stores it locally. To clear all of these keys, use the clear ssh hosts command in Exec mode.

Cisco Application Control Engine Module Administration Guide

2-20

OL-9373-01

Chapter 2

Enabling Remote Access to the ACE Terminating an Active User Session

Terminating an Active User Session

To terminate an active SSH or Telnet session for the active context, use one of the following commands in Exec mode:

clear ssh {session_id | hosts} clear telnet {session_id} session_idSpecifies the identifier of the SSH or Telnet session to disconnect. You can obtain the specific session_id value using either the show ssh session-info command or the show telnet command in Exec mode. See the Directly Accessing a User Context Through SSH section for details. hostsClears the list of trusted SSH hosts from the ACE configuration.

The arguments, keywords, and options are:

For example, to terminate an SSH session, enter:

host1/Admin # clear ssh 345

Enabling ICMP Messages To the ACE

By default, the ACE does not allow ICMP messages to be received by an ACE interface or to pass through the ACE interface. ICMP is an important tool for testing your network connectivity; however, it can also be used to attack the ACE or your network. We recommend allowing ICMP during your initial testing, but then disallowing it during normal operation. To permit or deny address(es) to reach an ACE interface with ICMP messages, either from a host to the ACE, or from the ACE to a host which requires the ICMP reply to be allowed back, configure a:

Class map to provide the ICMP network traffic match criteria for the ACE. Policy map to enable ICMP network management access to and from the ACE. Service policy to activate the policy map, attaches the traffic policy to an interface or globally on all interfaces, and specifies the direction in which the policy should be applied.

Cisco Application Control Engine Module Administration Guide OL-9373-01

2-21

Chapter 2 Enabling ICMP Messages To the ACE

Enabling Remote Access to the ACE

See the Configuring Remote Network Management Traffic Services section for details on configuring a network management class map, policy map, and service policy for the ACE. To allow ICMP messages to pass through the ACE, configure an ICMP ACL to permit or deny network connections based on the ICMP type (for example, echo, echo-reply, unreachable). Refer to the Cisco Application Control Engine Module Security Configuration Guide for details.

Note

If you only want to allow the ACE to ping a host (and allow the echo reply back to the interface), but not allow hosts to ping the ACE, enable the ICMP application protocol inspection function instead of defining a class map and policy map. Refer to Cisco Application Control Engine Module Security Configuration Guide for details. For example, to allow the ACE to receive ICMP pings, enter the following commands:
host1/Admin(config)# class-map type management match-all ICMP-ALLOW_CLASS host1/Admin(config-cmap-mgmt)# description Allow ICMP packets host1/Admin(config-cmap-mgmt)# match protocol icmp source-address 172.16.10.0 255.255.255.254 host1/Admin(config-cmap-mgmt)# exit host1/Admin(config)# policy-map type management first-action ICMP_ALLOW_POLICY host1/Admin(config-pmap-mgmt)# class ICMP-ALLOW_CLASS host1/Admin(config-pmap-mgmt-c)# permit host1/Admin(config-pmap-mgmt-c)# exit host1/Admin(config-pmap-mgmt)# exit host1/Admin(config)# interface vlan 50 host1/Admin(config-if)# ip address 172.16.1.100 255.255.0.0 host1/Admin(config-if)# service-policy input ICMP_ALLOW_POLICY

Cisco Application Control Engine Module Administration Guide

2-22

OL-9373-01

Chapter 2

Enabling Remote Access to the ACE Directly Accessing a User Context Through SSH

Directly Accessing a User Context Through SSH

As the global administrator, from the Admin context you can configure a user context and enable direct login access to that user context from a remote SSH session. The following summarize the sequence of steps to configure the ACE to provide direct access to a user context from SSH:
1.

Create a user context (refer to the Cisco Application Control Engine Module Virtualization Configuration Guide).
host1/Admin(config)# context C1 host1/Admin(config-context)#

2.

Associate an existing VLAN with the user context so that the context can receive traffic classified for it (refer to the Cisco Application Control Engine Module Routing and Bridging Configuration Guide).
host1/Admin(config-context)# allocate-interface vlan 100

3.

Generate the SSH host key pair (see the Generating SSH Host Key Pairs section).
host1/Admin(config-context)# ssh key rsa1 1024 generating rsa1 key ..... generated rsa1 key

4.

In the Admin context, use the changeto command in Exec mode or use the do changeto command in configuration mode to change to the C1 context that you created in step 1 and enter global configuration mode in that context. Only users authenticated in the Admin context can use the changeto command.
host1/Admin(config-context)# do changeto C1 host1/C1(config-context)# exit host1/C1(config)#

Cisco Application Control Engine Module Administration Guide OL-9373-01

2-23

Chapter 2 Directly Accessing a User Context Through SSH

Enabling Remote Access to the ACE

5.

Configure the VLAN interface that you allocated to the user context in step 2. For example, assign an IP address to the interface and reenable the interface within the context with the no shutdown command. Refer to the Cisco Application Control Engine Module Routing and Bridging Configuration Guide.
host1/C1(config)# interface vlan 50 host1/C1(config-if)# ip address 192.168.1.1 255.255.255.0 host1/C1(config-if)# no shutdown host1/C1(config-if)# exit host1/C1(config)#

6.

Create an SSH remote management policy and apply the associated service policy to all VLAN interfaces or just to the VLAN interface allocated to the user context (see the Configuring Remote Network Management Traffic Services section).
host1/C1(config)# class-map type management match-all SSH-ALLOW_CLASS host1/C1(config-cmap-mgmt)# match protocol ssh source-address 172.16.10.0 255.255.255.254 host1/C1(config-cmap-mgmt)# exit host1/C1(config)# host1/C1(config) #policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY host1/C1(config-pmap-mgmt)# class SSH-ALLOW_CLASS host1/C1(config-pmap-mgmt-c)# permit host1/C1(config-pmap-mgmt-c)# exit host1/C1(config)# interface vlan 50 host1/C1(config-if)# ip address 192.168.1.1 255.255.255.0 host1/C1(config-if)# service-policy input REMOTE_MGMT_ALLOW_POLICY host1/C1(config-if)# exit host1/C1(config)#

7.

Create an IP route (refer to the Cisco Application Control Engine Module Security Configuration Guide).
host1/C1(config)# ip route 0.0.0.0 255.255.255.0 192.168.4.8

To directly access the user context from an SSH client:

1. 2.

From the SSH client, establish a remote SSH session to the IP address of the user context VLAN interface. Enter the password for the user context VLAN interface. The ACE CLI prompt appears in Exec mode of the user context.
host1/C1#

Cisco Application Control Engine Module Administration Guide

2-24

OL-9373-01

Chapter 2

Enabling Remote Access to the ACE Viewing Session Information

Viewing Session Information

This section includes the following procedures:

Showing Telnet Session Information Showing SSH Session Information

Showing Telnet Session Information

Use the show telnet command in Exec mode to display information related to the Telnet session. Only the context administrator can view Telnet information associated with a particular context. The syntax of this command is: show telnet [context_name] The optional context_name argument specifies the name of the context for which you want to view specific Telnet session information. The context_name argument is case-sensitive. For example, enter:
host1/Admin# show telnet

Table 2-2 describes the fields in the show telnet command output.
Table 2-2 Field Descriptions for show telnet Command

Field SessionID Remote Host Active Time

Description Unique session identifier for the Telnet session IP address and port of the remote Telnet client Time since the Telnet connection request was received by the ACE

Cisco Application Control Engine Module Administration Guide OL-9373-01

2-25

Chapter 2 Viewing Session Information

Enabling Remote Access to the ACE

Use the show telnet maxsessions command in Exec mode to display the maximum number of enabled Telnet sessions. Only context administrators can view Telnet session information associated with a particular context. The syntax of this command is: show telnet maxsessions [context_name] The optional context_name argument specifies the name of the context for which you want to view the maximum number of Telnet sessions. The context_name argument is case-sensitive. For example, enter:
host1/Admin# show telnet maxsessions Maximum Sessions Allowed is 4

Showing SSH Session Information

This section contains the following procedures:

Showing SSH Session Information Showing SSH Key Details

Showing SSH Session Information

Use the show ssh session-info command in Exec mode to display information related to the SSH session. Only context administrators can view SSH session information associated with a particular context. The syntax of this command is: show ssh session-info [context_name] The optional context_name argument specifies the name of the context for which you want to view specific SSH session information. The context_name argument is case-sensitive.

Cisco Application Control Engine Module Administration Guide

2-26

OL-9373-01

Chapter 2

Enabling Remote Access to the ACE Viewing Session Information

For example, enter:

host1/Admin#

show ssh session-info

Table 2-3 describes the fields in the show ssh session-info command output.
Table 2-3 Field Descriptions for show ssh session-info Command

Field SessionID Remote Host Active Time

Description Unique session identifier for the SSH session. IP address and port of the remote SSH client. Time since the SSH connection request was received by the ACE.

Use the show ssh maxsessions command in Exec mode to display the maximum number of enabled SSH sessions. Only context administrators can view SSH session information associated with a particular context. The syntax of this command is: show ssh maxsessions [context_name] The optional context_name argument specifies the name of the context that the context administrator wants to view the maximum number of SSH sessions. The context_name argument is case-sensitive. For example, enter:
host1/Admin# show ssh maxsessions Maximum Sessions Allowed is 4(SSH Server is enabled)

Showing SSH Key Details

Use the show ssh key command in Exec mode to display the host key pair details for the specified key or for all keys if you do not specify a key. The syntax of this command is: show ssh key [dsa | rsa | rsa1]

Cisco Application Control Engine Module Administration Guide OL-9373-01

2-27

Chapter 2 Viewing Session Information

Enabling Remote Access to the ACE

The arguments, keywords, and options are:

dsaSpecifies the DSA key pair for the SSH version 2 protocol. rsaSpecifies the RSA key pair for the SSH version 2 protocol. rsa1Specifies the RSA1 key pair for the SSH version 1 protocol.

For example, enter:

host1/Admin # show ssh key ************************************** could not retrieve rsa1 key information ************************************** rsa Keys generated:Tue Mar 7 19:37:17 2006 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA4v4DQ8aNl482qDTRju9G07hEIxCgTWanPm+WOCU1ki hZ QNd5ZwA50CBAJSfIIIB4iED6iQbhOkbXSneCvTb5mVoish2wvJrETpIDIeGxxh/jWVsU/M eBbA/7o5tv gCeT6p7pGF5oUNYFP0OeZ9BiIWDc4jBmYEQLEqJHPrMhSFE= bitcount:1024 fingerprint: f5:55:00:18:bc:af:41:74:b6:bc:aa:8e:46:31:74:4f ************************************** dsa Keys generated:Tue Dec 20 19:37:17 2005 ssh-dss AAAAB3NzaC1kc3MAAACBAPqDdEqU+0gNtKRXM+DQAXnvcB+H89nq8jA4WgJ7uQcuDCLaG7 Lq jtKTltJjA6aZVywsQWQ6n4kTlkavZy3cj6PUbSyqvmCTsaYyYo4UQ6CKrK9V+NsfgzTSLW TH8iDUvYjL c3nU51QEKjy7mPsQeX31y1M1rhp8qhkbMKxkc49XAAAAFQCPM0QJrq6+kkaghJpeNxeXhU H9HwAAAIEA keZ1ZJM6sfKqJDYPLHkTro+lpbV9uR4VyYoZmSoehi/LmSaZDq+Mc8UN1LM+i5vkOgnKce arD9lM4/hK zZGYx5hJOiYCKj/ny2a5p/8HK152cnsOAg6ebkiTTWAprcWrcHDS/1mcaI5GzLrZCdlXW5 gBFZtMTJGs tICmVWjibewAAACBAJQ66zdZQqYiCWtZfmakridEGDTLV6ixIDjBNgb84qlj+Y1XMzqLL0 D4oMSb7idE L3BmhQYQW7hkTK0oS4kVawI1VmW2kvrqoGQnLNQRMvisAXuJWKk1Ln6vWPGZZe8KoALv0G XxsOv2gk/z TDk01oCaTVw//bXJtoVRgIlWXLIP bitcount:1024 fingerprint: 8e:13:5c:3e:1a:9c:7a:ed:d0:84:eb:96:12:db:82:be **************************************

Cisco Application Control Engine Module Administration Guide

2-28

OL-9373-01