Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1009
Views
0
Helpful
3
Replies

Simple SSH Access-List Question

Go to solution
Thomas Reiling
Level 1
Level 1

‎04-28-2011 09:54 AM - edited ‎03-10-2019 06:02 PM

I am enabling SSH access for all of our Cisco devices and want to restrict access to just the following ip addresses: 192.168.200.1-192.168.200.50.  I forgot the exact access-list configuration to accomplish this.  The subnet is /24 and I don't want the whole subnet - just .1 - .50.

Thank you,

Thomas Reiling

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bmcginn
Level 3
Level 3

‎04-28-2011 03:24 PM

Hi there,

If using ssh make sure you have a domain name, host name and a generated rsa key.  Assuing you've done that, the the following ACL and line vty command will do the trick.  Note that the 1-50 host list is not on a subnet barrier.

To get it exactly

access-list 1 remark ALLOW MANAGEMENT
access-list 1 permit 192.168.200.0 0.0.0.31

access-list 1 permit 192.168.200.32 0.0.0.15

access-list 1 permit 192.168.200.48 0.0.0.1

access-list 1 host 192.168.200.50

access-list 1 deny any log

It would be a good idea to put it on a boundary though, so the following would be much more simpler and easier to read.

access-list 1 remark ALLOW MANAGEMENT
access-list 1 permit 192.168.200.0 0.0.0.63

access-list 1 deny   any log

Apply the access-class on the vty lines and depending on authentication, i'd put something there too.

line vty 0 4
access-class 1 in
transport input ssh

password blahblah

That ought to do it.

good luck!

Brad

View solution in original post

0 Helpful
3 Replies 3

Go to solution
bmcginn
Level 3
Level 3

‎04-28-2011 03:24 PM

Hi there,

If using ssh make sure you have a domain name, host name and a generated rsa key.  Assuing you've done that, the the following ACL and line vty command will do the trick.  Note that the 1-50 host list is not on a subnet barrier.

To get it exactly

access-list 1 remark ALLOW MANAGEMENT
access-list 1 permit 192.168.200.0 0.0.0.31

access-list 1 permit 192.168.200.32 0.0.0.15

access-list 1 permit 192.168.200.48 0.0.0.1

access-list 1 host 192.168.200.50

access-list 1 deny any log

It would be a good idea to put it on a boundary though, so the following would be much more simpler and easier to read.

access-list 1 remark ALLOW MANAGEMENT
access-list 1 permit 192.168.200.0 0.0.0.63

access-list 1 deny   any log

Apply the access-class on the vty lines and depending on authentication, i'd put something there too.

line vty 0 4
access-class 1 in
transport input ssh

password blahblah

That ought to do it.

good luck!

Brad

0 Helpful

Go to solution
Thomas Reiling
Level 1
Level 1
In response to bmcginn

‎04-28-2011 04:07 PM

Thanks a lot!

Thomas

0 Helpful

Go to solution
bmcginn
Level 3
Level 3
In response to Thomas Reiling

‎04-28-2011 05:39 PM

Thomas,

You're welcome.

Brad

0 Helpful
Customers Also Viewed These Support Documents