cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1574
Views
0
Helpful
2
Replies
Highlighted
Beginner

Access list for SSH vty lines

Hi All, 

 

Can someone please help me understand this access list for the VTY lines? Previous network engineer has this in our switches on the VTY lines, the part I don't quite understand is the host 0.0.0.0?  It's been working and then a few of our switches rebooted then we were not able to SSH in and I had to remove the host 0.0.0.0 and add in "any" but not sure why?

 

10 permit tcp 192.168.0.0 0.0.255.255 host 0.0.0.0 eq 22 log-input

 

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Participant

Hi!

Using the "host 0.0.0.0" as destination in that matter makes absolutely no sense there.

The old ACL would have allowed TCP/22 sourcing from 192.168.x.x/24 towards 0.0.0.0/32.

Now with your new ACL you are allowing the traffic towards any destination, which makes the SSH connection work.

Instead of any you could also do "host <IP of the Switch>" - but then you would have to modify it for every device..

Be sure to read through the following document to fully understand ACLs:
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

Here you also find the following:

A source/source-wildcard setting of 0.0.0.0/255.255.255.255 can be specified as any. The wildcard can be omitted if it is all zeros. Therefore, host 10.1.1.2 0.0.0.0 is the same as host 10.1.1.2.

That sentence also states that "host 0.0.0.0" makes no sense since it would kind of block everything.

I hope this helps you.

Best regards
Julian

View solution in original post

2 REPLIES 2
Highlighted
Participant

Hi!

Using the "host 0.0.0.0" as destination in that matter makes absolutely no sense there.

The old ACL would have allowed TCP/22 sourcing from 192.168.x.x/24 towards 0.0.0.0/32.

Now with your new ACL you are allowing the traffic towards any destination, which makes the SSH connection work.

Instead of any you could also do "host <IP of the Switch>" - but then you would have to modify it for every device..

Be sure to read through the following document to fully understand ACLs:
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

Here you also find the following:

A source/source-wildcard setting of 0.0.0.0/255.255.255.255 can be specified as any. The wildcard can be omitted if it is all zeros. Therefore, host 10.1.1.2 0.0.0.0 is the same as host 10.1.1.2.

That sentence also states that "host 0.0.0.0" makes no sense since it would kind of block everything.

I hope this helps you.

Best regards
Julian

View solution in original post

Highlighted
VIP Advisor

Hi @Eddie Sardinha 

 

The ACE indicates that packets with source 192.168.0.0 and with destination the default network, through port 22 will be allowed.
When changing the destination to any, the packets that reach the vty lines with any destination, through port 22 will be allowed.


You must be clear about what you are looking for with the ACL.
My recommendation is that the source of the allowed packets is not so wide, moreover, it should be only a very limited range of IPs, as that will contribute to the security of your network.

 

Regards

Content for Community-Ad