Re: Access list isses on VTY lines

VLA_WeyBridge_2 · ‎01-08-2010

Hi I was hopeing some one could explain how to do this.

I am trying to restrict my core switchs (4506's) to only accept incomming SSH and Telent (managment) traffic that is directed to a single ip interface.

I thought I could do this by placing a access list on the VTY lines that says

#access list 101 permit tcp any host 192.168.1.254 eq 22 log

#access list 101 permit tcp and host 192.168.1.254 eq 23 log

#access list 101 deny ip any any log

and simple assign that list inbound to the VTY interface.

however this then blocks all access to the VTY line? the log is as shown

Jan 8 11:41:54.247: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.5.25(4258) -> 0.0.0.0(22), 1 packet

So i can see what is happening becasue the 4506 is the default gate way for the 192.168.5.0 network, it is seeing the packet as directed to self and no to the 192.168.1.254 address.

My question is, is there any way around this. I was hoping to be able to restrict managment access to the 192.168.66.254 address,

I dont want to stop other sub nets being able to manage this swith, but they would all ahve to mange it through a single IP address. this switch may end up with many subnet interfaces and I would rather be able to say allow this interface and deny all others by default, than have to manualy deny all other interfaces one by one.

Any ideas how I can get this to work ?

Cheers

Ganesh Hariharan · ‎01-11-2010

Hi,

To restrict the access of the switch via vty just do the below configuration in switches so that only permitted ip' can access the switch via telnet

ip access-list standard admin
permit 10.9.4.4
permit 10.198.1.1

Cisco_1811#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco_1811(config)#line vty 0 15
Cisco_1(config-line)#access-class admin in

Hope that helps out your query !!

Regards

Ganesh.H

VLA_WeyBridge_2 · ‎01-11-2010

See this still allows Access via any interface IP address the switch/router is configured with.

I want to restricit managment ment to a single interface on the routers/switch.

At the moment uses are assigned an access list as they log on to the network.

which says something like

deny ip any 192.168.1.0 0.0.0.255

deny tcp any 192.168.2.0 0.0.0.255 RDP

permit any any.

So they are denied acess to different parts of the network depending what group they are in.

The idea being that no matter what PC they log on to in what ever subnet they will always be denided access based on the user.

the problem with your solution is that then the managemnt uinterface can only be access from one PC or subnet, as it is based on the source address

I want to limit it based on the distination address,

IE, not who it is comming from, but to what IP address it is directed to.

Then if I say that a user can / can't reach the 192.168.1.0 (managment subnet) then I can centraly managem access to the switch managent.

Ganesh Hariharan · ‎01-11-2010

Clear your question in breif manner you want create management restriction or want to block different network from one lan to other.

Regards

Ganesh.H

VLA_WeyBridge_2 · ‎01-11-2010

I want to do exactly what you have said

assing an access list on to the VTY line,

but i want to filter based on the destination address (not the source address.)

Ganesh Hariharan · ‎01-12-2010

Hi,

Ok !!

To restrict incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list, use the access-class command in line configuration mode. To remove access restrictions, use the no form of this command.
access-class access-list-number {in [vrf-also] | out}
no access-class access-list-number {in | out}

Syntax Description

access-list-number
Number of an IP access list. This is a decimal number from 1 to 199 or from 1300 to 2699.
in

Restricts incoming connections between a particular Cisco device and the addresses in the access list.
vrf-also

Accepts incoming connections from interfaces that belong to a VRF.
out
Restricts outgoing connections between a particular Cisco device and the addresses in the access list.

Usage Guidelines

Remember to set identical restrictions on all the virtual terminal lines because a user can connect to any of them.
To display the access lists for a particular terminal line, use the show line EXEC command and specify the line number.
If you do not specify the vrf-also keyword, incoming Telnet connections from interfaces that are part of a VRF are rejected.

Examples

The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the virtual terminal ports on the router:
access-list 12 permit 192.89.55.0 0.0.0.255
line 1 5
access-class 12 in

The following example defines an access list that denies connections to networks other than network 36.0.0.0 on terminal lines 1 through 5:
access-list 10 permit 36.0.0.0 0.255.255.255
line 1 5
access-class 10 out

Hope that helps out your query !!

Regards

Ganesh.H

justnetsolutions · ‎05-29-2016

I know this question was asked quite awhile ago but I'm sure people are still trying to find an answer to this question.

I'm currently studying for my CCNA exam and in one of the labs it asks to apply an ACL to the VTY lines that would allow access to only one of the local IP Addresses configured on a router(say loopback 0). this cannot be done (at least in any of the GNS 3 devices I have setup). To only allow Telnet/SSH access to one of the configured addresses, you must apply the ACL to an interface, not the VTY lines.

I hope this helps anyone else out there that is currently looking for a solution to this problem.

Arjun Dabol · ‎08-24-2017

Hi,

Ok so in my case I have a router with mgmt interface (int mgmt 0) with ip address 192.168.1.1

Now I want that my network administrator sholuld telnet in to the router using only this int mgmt IP and Not any other loopback OR interface IP configured on the router ? How can I achive this ?

Faizan Ahmed Khan · ‎10-10-2018

I do not know if this you have figured out or not but always remember that vty lines are on the managment plane. The vty lines will always only allow or block traffic on the vty level session. Depending on what physical interfaces you have you will have to place ACLs on that to block traffic from coming into those physical interfaces first and if permitted they will make their way to the vty lines.

csotolopez · ‎03-30-2023

I have the same issue. okay so this is the configuration. The idea like someone on the forum mention I want to allow access from any source address to telnet to the switch but only access telnet through the Loopback address of the switch. No other interface. so below is the configuration that I used on a router and it worked with no issue. however when I added it to the switch this is the error I get " *Mar 30 15:30:23.618: %SEC-6-IPACCESSLOGP: list VTY-ACCESS denied tcp 192.168.1.203(34788) -> 0.0.0.0(23), 1 packet"

the traffic is not going to the loopback address it is going to 0.0.0.0 why?

interface Loopback0
ip address 1.1.1.2 255.255.255.255

ip access-list extended VTY-ACCESS
permit tcp any host 1.1.1.2 eq telnet 22 log
deny ip any any log

line vty 0 4
access-class VTY-ACCESS in
logging synchronous

knanyhy011 · ‎12-24-2023

hello friends I have made an acl to restrict vlans 102 , 103 to use telnet & ssh and permit valn 100 the result I have done this but the problem is with vlan100 I can use telnet & ssh with router br1 & br2 but hq router I could not the ping with hq unreachable what is the problem?

BR1#sh ru

Building configuration...

Current configuration : 2429 bytes

!

version 15.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname BR1

!

enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

!

no ip cef

no ipv6 cef

!

username cisco secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1

!

ip domain-name ccna.com

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0/0

no ip address

ip ospf 20 area 0

duplex auto

speed auto

!

interface GigabitEthernet0/0/0.100

encapsulation dot1Q 100 native

ip address 192.168.100.1 255.255.255.240

ip ospf 20 area 0

!

interface GigabitEthernet0/0/0.102

encapsulation dot1Q 102

ip address 192.168.100.65 255.255.255.224

ip helper-address 192.168.100.6

ip ospf 20 area 0

ip access-group 100 in

!

interface GigabitEthernet0/0/0.103

encapsulation dot1Q 103

ip address 192.168.100.33 255.255.255.240

ip helper-address 192.168.100.6

ip ospf 20 area 0

ip access-group 100 in

!

interface GigabitEthernet0/0/1

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/1/0

ip address 10.10.10.2 255.255.255.252

ip ospf 20 area 0

clock rate 2000000

!

interface Serial0/1/1

ip address 10.10.10.6 255.255.255.252

ip ospf 20 area 0

ip access-group 110 out

!

interface Vlan1

no ip address

shutdown

!

interface Vlan102

mac-address 00d0.ba41.0d01

no ip address

!

router ospf 20

log-adjacency-changes

default-information originate

!

ip classless

!

ip flow-export version 9

!

access-list 100 deny tcp any host 10.10.10.5 eq 22

access-list 100 deny tcp any host 10.10.10.5 eq telnet

access-list 100 deny tcp any host 10.10.10.1 eq 22

access-list 100 deny tcp any host 10.10.10.1 eq telnet

access-list 100 deny tcp any host 192.168.100.1 eq 22

access-list 100 deny tcp any host 192.168.100.1 eq telnet

access-list 100 deny icmp any 192.168.100.0 0.0.0.15

access-list 100 permit ip any any

access-list 100 permit tcp any any

access-list 110 permit tcp any host 100.1.1.3 eq www

access-list 110 permit tcp any host 100.1.1.3 eq 443

access-list 110 permit tcp any host 100.1.1.2 eq smtp

access-list 110 permit tcp any host 100.1.1.2 eq pop3

access-list 110 deny tcp any any

!

line con 0

!

line aux 0

!

line vty 0

no login

transport input none

line vty 1 4

password cisco

login

transport input none

line vty 5 15

password cisco

login

!

end

balaji.bandi · ‎12-24-2023

First i would suggest to open new thread with more information there on the new post

but the problem is with vlan100 I can use telnet & ssh with 
router br1 & br2 but hq router I could not  the ping  with hq unreachable what is the problem?

we do not understand what is HQ IP address here - from what source are you using to reach HQ , where is HQ device configuration here ?

You have ACL here - which deny for IN access-list 100 deny icmp any 192.168.100.0 0.0.0.15

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help