03-21-2024 07:57 AM
I have cut at this multiple times and have not been able to work it, so any help would be greatly appreciated.
I have a 3650 with one interface connected to our ISP's router and another interface connected to our UTM and the internal network. I want to be able to make SSH connection to the switch, but only from a single host on the internal network, blocking all other connections, whether external or internal. I have created this acl and applied it to vty 0 4 and vty 5 15:
ip access-list extended manage-SSH
permit tcp 192.168.x.x 0.0.255.255 any eq 22
deny tcp any any eq 22
deny tcp any any eq www
deny tcp any any eq telnet
However, it does not seem to be working. I still get authentication attempts from external probers
*Mar 21 09:24:33.906: %SEC_LOGIN-1-QUIET_MODE_ON: Still time left for watching failures is 0 secs, [user: ] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] [ACL: manage-SSH] at 09:24:33 UTC Thu Mar 21 2024
Can anyone see what I am doing wrong?
Solved! Go to Solution.
03-21-2024 08:03 AM
can you apply ACL to ISP interface deny tcp traffic to 22 and allow other traffic ?
MHM
03-21-2024 08:03 AM
can you apply ACL to ISP interface deny tcp traffic to 22 and allow other traffic ?
MHM
03-25-2024 06:23 AM
Thanks! This proves to be the most efficient and effective way of accomplishing what a need to accomplish.
03-21-2024 08:04 AM
Hello @hbell ,
The access-list is wrong. It should be as follows if only from one IP is permitted:
ip access-list extended manage-SSH
permit tcp 192.168.x.x 0.0.0.0 any eq 22
deny tcp any any eq 22
deny tcp any any eq www
deny tcp any any eq telnet
line vty 0 4
access-class manage-SSH in
Hope this helps.
03-21-2024 08:42 AM - edited 03-21-2024 08:44 AM
Hello @hbell
Since you need to permit one host, use the 'host' command on your permit rule:
ip access-list extended manage-SSH
permit tcp host 192.168.x.x any eq 22
deny tcp any any eq 22
deny tcp any any eq www
deny tcp any any eq telnet
Apply this named extended ACL on VTY in inbound.
Please re test.
03-21-2024 09:39 AM
Hello,
since all access lists have an implicit 'deny all' at the end, all you really need is this:
ip access-list extended SSH_ACCESS
permit tcp host <internal_host_IP> any eq 22
line vty 0 15
access-class SSH_ACCESS in
transport input ssh
03-22-2024 05:57 AM
>>> *Mar 21 09:24:33.906: %SEC_LOGIN-1-QUIET_MODE_ON: Still time left for watching failures is 0 secs, [user: ] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] [ACL: manage-SSH] at 09:24:33 UTC Thu Mar 21 2024 <<<
the ACL manage-SSH on the VTY lines does not prevent probes being made, but it makes sure they cannot be completed
if you do not want this logged, you may add an explicit deny statement in the ACL with "nolog" keyword
alternatively you can define an ACL applied to the ISP lines (not the VTY) that blocks SSH traffic to the outside-IP of the device
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide