topic Re: SSH to a specific host IP in Network Security

SSH to a specific host IP

kirm — Sat, 26 Dec 2020 18:01:54 GMT

Hi all,

I'm trying to limit SSH access to my router.

Router IP is 192.168.1.254

My access list for SSH:

ip access-list extended SSH_Access_Control
permit tcp 192.168.1.0 0.0.0.255 any eq 22
deny tcp any any eq 22 log

line vty 0 4
access-class SSH_Access_Control in

If it matters, I'm using aaa.

The above works.

In the ACL I remove this:

permit tcp 192.168.1.0 0.0.0.255 any eq 22

and add this:

permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.254 eq 22

Annnndddddd...I'm locked out of the router. Console time for me.

I'm permitting any IP in the subnet to connect to this specific router ON this specific router.

Anyone know why this doesn't work?

Thanks,

Re: SSH to a specific host IP

Rob Ingram — Sat, 26 Dec 2020 18:41:00 GMT

Hi @kirm

Refer to the previous post, VTY lines have no IP address:-

https://community.cisco.com/t5/switching/vty-extended-acl-with-destination-address/td-p/1163772

Enable logging with your ACL and I'd expect to see something similar to this: %SEC-6-IPACCESSLOGP: list VTY denied tcp 192.168.10.201(1096) -> 0.0.0.0(22), 1 packet

If you want to control SSH to 192.168.1.254 use an interface ACL to permit/deny and/or set transport input ssh under the vty line, with the VTY ACL to permit the source IP addresses.

HTH

Re: SSH to a specific host IP

kirm — Sun, 27 Dec 2020 03:17:18 GMT

Like it says here?:

"VTY lines have no IP address so what's the benefit to include the destination?"

Very good and thank you. I've marked your answer as the accepted solution.

Re: SSH to a specific host IP

johnlloyd_13 — Wed, 30 Dec 2020 12:19:34 GMT

hi,

common practice is to use standard ACL based on allowed source IP (management subnet/NMS).

ip access-list standard SSH_Access_Control
permit 192.168.1.0 0.0.0.255
deny any log