https://community.cisco.com/t5/network-security/access-list-for-ssh-vty-lines/m-p/3990447#M925084 <P>Hi All,&nbsp;</P><P>&nbsp;</P><P>Can someone please help me understand this access list for the VTY lines? Previous network engineer has this in our switches on the VTY lines, the part I don't quite understand is the host 0.0.0.0?&nbsp; It's been working and then a few of our switches rebooted then we were not able to SSH in and I had to remove the host 0.0.0.0 and add in "any" but not sure why?</P><P>&nbsp;</P><P>10 permit tcp 192.168.0.0 0.0.255.255 host 0.0.0.0 eq 22 log-input</P><P>&nbsp;</P><P>Thanks!</P> Fri, 21 Feb 2020 17:43:54 GMT Eddie Sardinha 2020-02-21T17:43:54Z https://community.cisco.com/t5/network-security/access-list-for-ssh-vty-lines/m-p/3990447#M925084 <P>Hi All,&nbsp;</P><P>&nbsp;</P><P>Can someone please help me understand this access list for the VTY lines? Previous network engineer has this in our switches on the VTY lines, the part I don't quite understand is the host 0.0.0.0?&nbsp; It's been working and then a few of our switches rebooted then we were not able to SSH in and I had to remove the host 0.0.0.0 and add in "any" but not sure why?</P><P>&nbsp;</P><P>10 permit tcp 192.168.0.0 0.0.255.255 host 0.0.0.0 eq 22 log-input</P><P>&nbsp;</P><P>Thanks!</P> Fri, 21 Feb 2020 17:43:54 GMT https://community.cisco.com/t5/network-security/access-list-for-ssh-vty-lines/m-p/3990447#M925084 Eddie Sardinha 2020-02-21T17:43:54Z https://community.cisco.com/t5/network-security/access-list-for-ssh-vty-lines/m-p/3990507#M925099 <P>Hi!</P><P>Using the "host 0.0.0.0" as destination in that matter makes absolutely no sense there.</P><P>The old ACL would have allowed TCP/22 sourcing from 192.168.x.x/24 towards 0.0.0.0/32.</P><P>Now with your new ACL you are allowing the traffic towards any destination, which makes the SSH connection work.</P><P>Instead of <STRONG>any</STRONG> you could also do "<STRONG>host &lt;IP of the Switch&gt;</STRONG>" - but then you would have to modify it for every device..</P><P>Be sure to read through the following document to fully understand ACLs:<BR /><A href="https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html</A></P><P>Here you also find the following:</P><P><U><FONT size="3"><EM>A source/source-wildcard setting of 0.0.0.0/255.255.255.255 can be specified as <STRONG>any</STRONG>. The wildcard can be omitted if it is all zeros. Therefore, host 10.1.1.2 0.0.0.0 is the same as host 10.1.1.2.</EM> </FONT></U></P><P>That sentence also states that "host 0.0.0.0" makes no sense since it would kind of block everything.</P><P>I hope this helps you.</P><P>Best regards<BR />Julian</P> Thu, 28 Nov 2019 01:22:51 GMT https://community.cisco.com/t5/network-security/access-list-for-ssh-vty-lines/m-p/3990507#M925099 julian.bendix 2019-11-28T01:22:51Z https://community.cisco.com/t5/network-security/access-list-for-ssh-vty-lines/m-p/3990522#M925112 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/260726">@Eddie Sardinha</a>&nbsp;</P><P>&nbsp;</P><P>The ACE indicates that packets with source 192.168.0.0 and with destination the default network, through port 22 will be allowed.<BR />When changing the destination to any, the packets that reach the vty lines with any destination, through port 22 will be allowed.</P><P><BR />You must be clear about what you are looking for with the ACL.<BR />My recommendation is that the source of the allowed packets is not so wide, moreover, it should be only a very limited range of IPs, as that will contribute to the security of your network.</P><P>&nbsp;</P><P>Regards</P> Thu, 28 Nov 2019 02:30:12 GMT https://community.cisco.com/t5/network-security/access-list-for-ssh-vty-lines/m-p/3990522#M925112 luis_cordova 2019-11-28T02:30:12Z