cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
88726
Views
39
Helpful
13
Replies

ssh Access-list

Patrick McHenry
Level 4
Level 4

Hi,

I want to create an access-list that will allow any host to ssh to the Management address of a switch but, only the

Management address. Does this look like a clean way to do this?

ip access-list extended SSH_ACCESS
permit udp Management VLAN ip any eq 22
permit tcp Management VLAN ip any eq 22
deny udp any other switch ips eq 22
deny tcp any other switch ips eq 22
permit ip any any

!

line vty 0 15
ip access-group SSH_ACCESS

Thank you, Pat.

13 Replies 13

parvinder.s
Level 1
Level 1

hi,

ip access-list standard SSH_ACCESS

  permit IP_add or Subnet wild_card_mask(for subnets)

  permit IP_add  or subnet

...

...

...

line vty 0 15

access-class SSH_ACCESS in

transport input ssh

thanks

Thanks Parvinder - def cleaner. I'll try it.

Parvinder -

doesn't seem to work. Does this look correct?

Thank you

ip access-list extended SSH_ACCESS

permit ip any host 172.16.1.137

!

line vty 0 15

access-class SSH_ACCESS in

length 0

transport input ssh

!

Use Standard ACL list.

ip access-list standard SSH_ACCESS

permit host yourLaptop_ip

permit NOC_VLAN_Subnet

!

!

line vty 0 15

access-class SSH_ACCESS in

length 0

transport input ssh telnet

!

Thank you for response

This is what I am trying to accomplish:

I want to allow any device to ssh to the switch/router but, I want to limit what address they can ssh to on the switch/router. Does that make sense. I only want the switch/router to be accessed through the Management VLAN interface.

Thank you

hi Patrick,

can you please share the running configuration?

yes it does make sense that you want to secure the remote login connections on the networking devices by allowing the management vlan only.

There is a standard practice to configure a standard Ip access list(for filtering source IPs) and putting it on the vty line by the command access-class.

thanks

Yes but, I want to allow any subnet to SSH to the device but, only allow it to be accessed through the Management interface. I think blocking the source can be too restrictive during troubleshooting times.

Thank you

Sindhu_kumar
Level 1
Level 1

You can't match the extended ACL using management Interface ip.

10 permit tcp any host 192.168.10.10 eq telnet log

20 permit tcp any any eq telnet log (2 matches)

192.168.10.10 is the Management interface of Router/Switch.

ACL is Matching seq number 20

%SEC-6-IPACCESSLOGP: list SSH_ACCESS permitted tcp 10.0.0.2(17832) -> 0.0.0.0(23), 1 packet

Seems odd. Why not?

Thank you

Hi

In IOS Version 12.4 its work likes that only. Can anyone try this in IOS version 15?

R2#

R2#sh ip int br | i up

FastEthernet0/0            192.168.10.2    YES manual up                    up

R2#

R2#

R2#telnet 192.168.10.1 /so fa0/0

Trying 192.168.10.1 ... Open

R1#

R1#

R1#sh ip access-list 100

Extended IP access list 100

    10 permit tcp host 192.168.10.2 host 192.168.10.1 eq telnet log

    20 permit tcp host 192.168.10.2 any eq telnet log (8 matches)

    30 permit tcp any any eq telnet log

R1#

R1#

R1#

R1#sh ver | i Version

Cisco IOS Software, 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)

ROM: 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)

R1#

HI I have check this in IOS version 15 also it seem to be same.

PFB from my PC (172.22.100.75) I telnet to 172.22.100.76 router interface ip. In router I have applied ACL on line vty. ACl is not matching the Seq number 10 it’s all wise matching seq number 20 only why it’s like that?

                  

In regards to the screenshot,

That is the correct action the router will take, destination addresses are not evaluated.  Even if the prior link says that they are I have never found this to be the case in any ios.  As the link mentioned, not documented by Cisco, to me that means it still won't work.