06-11-2013 04:44 AM
Hi,
I want to create an access-list that will allow any host to ssh to the Management address of a switch but, only the
Management address. Does this look like a clean way to do this?
ip access-list extended SSH_ACCESS
permit udp Management VLAN ip any eq 22
permit tcp Management VLAN ip any eq 22
deny udp any other switch ips eq 22
deny tcp any other switch ips eq 22
permit ip any any
!
line vty 0 15
ip access-group SSH_ACCESS
Thank you, Pat.
06-11-2013 05:33 AM
hi,
ip access-list standard SSH_ACCESS
permit IP_add or Subnet wild_card_mask(for subnets)
permit IP_add or subnet
...
...
...
line vty 0 15
access-class SSH_ACCESS in
transport input ssh
thanks
06-11-2013 05:39 AM
Thanks Parvinder - def cleaner. I'll try it.
06-11-2013 05:51 AM
Parvinder -
doesn't seem to work. Does this look correct?
Thank you
ip access-list extended SSH_ACCESS
permit ip any host 172.16.1.137
!
line vty 0 15
access-class SSH_ACCESS in
length 0
transport input ssh
!
06-11-2013 06:07 AM
Use Standard ACL list.
ip access-list standard SSH_ACCESS
permit host yourLaptop_ip
permit NOC_VLAN_Subnet
!
!
line vty 0 15
access-class SSH_ACCESS in
length 0
transport input ssh telnet
!
06-11-2013 06:27 AM
Thank you for response
This is what I am trying to accomplish:
I want to allow any device to ssh to the switch/router but, I want to limit what address they can ssh to on the switch/router. Does that make sense. I only want the switch/router to be accessed through the Management VLAN interface.
Thank you
06-11-2013 06:34 AM
This link will help you
http://blog.ioshints.info/2006/12/vty-access-class-accepts-extended-and.html
06-11-2013 06:42 AM
hi Patrick,
can you please share the running configuration?
yes it does make sense that you want to secure the remote login connections on the networking devices by allowing the management vlan only.
There is a standard practice to configure a standard Ip access list(for filtering source IPs) and putting it on the vty line by the command access-class.
thanks
06-11-2013 07:48 AM
Yes but, I want to allow any subnet to SSH to the device but, only allow it to be accessed through the Management interface. I think blocking the source can be too restrictive during troubleshooting times.
Thank you
06-11-2013 06:49 AM
You can't match the extended ACL using management Interface ip.
10 permit tcp any host 192.168.10.10 eq telnet log
20 permit tcp any any eq telnet log (2 matches)
192.168.10.10 is the Management interface of Router/Switch.
ACL is Matching seq number 20
%SEC-6-IPACCESSLOGP: list SSH_ACCESS permitted tcp 10.0.0.2(17832) -> 0.0.0.0(23), 1 packet
06-11-2013 07:45 AM
Seems odd. Why not?
Thank you
06-11-2013 09:20 AM
Hi
In IOS Version 12.4 its work likes that only. Can anyone try this in IOS version 15?
R2#
R2#sh ip int br | i up
FastEthernet0/0 192.168.10.2 YES manual up up
R2#
R2#
R2#telnet 192.168.10.1 /so fa0/0
Trying 192.168.10.1 ... Open
R1#
R1#
R1#sh ip access-list 100
Extended IP access list 100
10 permit tcp host 192.168.10.2 host 192.168.10.1 eq telnet log
20 permit tcp host 192.168.10.2 any eq telnet log (8 matches)
30 permit tcp any any eq telnet log
R1#
R1#
R1#
R1#sh ver | i Version
Cisco IOS Software, 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)
ROM: 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)
R1#
06-30-2013 07:10 AM
HI I have check this in IOS version 15 also it seem to be same.
PFB from my PC (172.22.100.75) I telnet to 172.22.100.76 router interface ip. In router I have applied ACL on line vty. ACl is not matching the Seq number 10 it’s all wise matching seq number 20 only why it’s like that?
07-03-2013 06:15 PM
In regards to the screenshot,
That is the correct action the router will take, destination addresses are not evaluated. Even if the prior link says that they are I have never found this to be the case in any ios. As the link mentioned, not documented by Cisco, to me that means it still won't work.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: