11-28-2012 12:26 PM - edited 03-11-2019 05:29 PM
Hi, a few weeks ago I set up a class map but now as I am finding time to review my config, I am wondering what effect this has. It is applied to a policy map for ssh access from the Internet to the router for management:
class-map type inspect match-any SSH
match protocol ssh
match access-group name SSH
The access list with the name "SSH" just allows certain public IP network blocks.
But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct?
Also just to ensure I am not confused about proper creation of the ACL. The ACL with the name SSH I've given is as follows:
ip access-list extended SSH
permit tcp xx.xx.0.0 0.255.255.255 any eq 22
permit tcp xx.xx.0.0 0.7.255.255 any eq 22
permit tcp xx.xx.0.0 0.255.255.255 any eq 22
First, am I being redundant in the class map by telling it to match protocol ssh and also specifiying port 22 in the ACL? And, is this ACL readout done properly if I want only certain IP blocks to be able to come in from the Internet, to the router, using ssh?
\
Solved! Go to Solution.
11-28-2012 05:33 PM
Hello Colin,
But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct?
Exactly you are getting it now It needs to be a match all....
Regarding the ACL should be like this:
access-list SSH
permit tcp host outside_user_ip host router_outside_interface eq 22
Regards,
11-28-2012 05:33 PM
Hello Colin,
But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct?
Exactly you are getting it now It needs to be a match all....
Regarding the ACL should be like this:
access-list SSH
permit tcp host outside_user_ip host router_outside_interface eq 22
Regards,
11-30-2012 09:54 AM
Ok I set it to match-all. However with the ACL, my office connection is on dynamic IP and so my ISP asigns IP in the address blocks that I've put into there.
But now for the part about the router_outside_interface. Setting this instead of saying "any" won't have problems iwth say, VPN or NAT or whatever else? it's simplying saying that ssh will go to the outside interface and that's that?
11-30-2012 11:28 AM
Hello Colin,
So dinamic Ip address ,got it.. Then you will need to do it as you have it before...
Correct,as it will be from out to self
Regards,
Remember to rate all of the helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide