Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2508
Views
0
Helpful
2
Replies

Access list for SSH vty lines

Go to solution
Eddie Sardinha
Beginner
Beginner

‎11-27-2019 03:43 PM - edited ‎02-21-2020 09:43 AM

Hi All, 

 

Can someone please help me understand this access list for the VTY lines? Previous network engineer has this in our switches on the VTY lines, the part I don't quite understand is the host 0.0.0.0?  It's been working and then a few of our switches rebooted then we were not able to SSH in and I had to remove the host 0.0.0.0 and add in "any" but not sure why?

 

10 permit tcp 192.168.0.0 0.0.255.255 host 0.0.0.0 eq 22 log-input

 

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
julian.bendix
Participant
Participant

‎11-27-2019 05:22 PM

Hi!

Using the "host 0.0.0.0" as destination in that matter makes absolutely no sense there.

The old ACL would have allowed TCP/22 sourcing from 192.168.x.x/24 towards 0.0.0.0/32.

Now with your new ACL you are allowing the traffic towards any destination, which makes the SSH connection work.

Instead of any you could also do "host <IP of the Switch>" - but then you would have to modify it for every device..

Be sure to read through the following document to fully understand ACLs:
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

Here you also find the following:

A source/source-wildcard setting of 0.0.0.0/255.255.255.255 can be specified as any. The wildcard can be omitted if it is all zeros. Therefore, host 10.1.1.2 0.0.0.0 is the same as host 10.1.1.2.

That sentence also states that "host 0.0.0.0" makes no sense since it would kind of block everything.

I hope this helps you.

Best regards
Julian

View solution in original post

0 Helpful
2 Replies 2

Go to solution
julian.bendix
Participant
Participant

‎11-27-2019 05:22 PM

Hi!

Using the "host 0.0.0.0" as destination in that matter makes absolutely no sense there.

The old ACL would have allowed TCP/22 sourcing from 192.168.x.x/24 towards 0.0.0.0/32.

Now with your new ACL you are allowing the traffic towards any destination, which makes the SSH connection work.

Instead of any you could also do "host <IP of the Switch>" - but then you would have to modify it for every device..

Be sure to read through the following document to fully understand ACLs:
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

Here you also find the following:

A source/source-wildcard setting of 0.0.0.0/255.255.255.255 can be specified as any. The wildcard can be omitted if it is all zeros. Therefore, host 10.1.1.2 0.0.0.0 is the same as host 10.1.1.2.

That sentence also states that "host 0.0.0.0" makes no sense since it would kind of block everything.

I hope this helps you.

Best regards
Julian

0 Helpful

Go to solution
luis_cordova
VIP Advisor VIP Advisor
VIP Advisor

‎11-27-2019 06:30 PM

Hi @Eddie Sardinha 

 

The ACE indicates that packets with source 192.168.0.0 and with destination the default network, through port 22 will be allowed.
When changing the destination to any, the packets that reach the vty lines with any destination, through port 22 will be allowed.


You must be clear about what you are looking for with the ACL.
My recommendation is that the source of the allowed packets is not so wide, moreover, it should be only a very limited range of IPs, as that will contribute to the security of your network.

 

Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents