Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3178
Views
10
Helpful
3
Replies

SSH to a specific host IP

Go to solution
kirm
Level 1
Level 1

‎12-26-2020 10:01 AM

Hi all,

I'm trying to limit SSH access to my router.

Router IP is 192.168.1.254

 

My access list for SSH:

 

ip access-list extended SSH_Access_Control
permit tcp 192.168.1.0 0.0.0.255 any eq 22
deny tcp any any eq 22 log

!

line vty 0 4
access-class SSH_Access_Control in

 

If it matters, I'm using aaa.

 

The above works.

 

In the ACL I remove this:

permit tcp 192.168.1.0 0.0.0.255 any eq 22

and add this:

permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.254 eq 22

Annnndddddd...I'm locked out of the router. Console time for me.

 

I'm permitting any IP in the subnet to connect to this specific router ON this specific router.

 

Anyone know why this doesn't work?

 

Thanks,

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎12-26-2020 10:35 AM - edited ‎12-26-2020 10:41 AM

Hi @kirm 

Refer to the previous post, VTY lines have no IP address:-

https://community.cisco.com/t5/switching/vty-extended-acl-with-destination-address/td-p/1163772

 

Enable logging with your ACL and I'd expect to see something similar to this: %SEC-6-IPACCESSLOGP: list VTY denied tcp 192.168.10.201(1096) -> 0.0.0.0(22), 1 packet

 

If you want to control SSH to 192.168.1.254 use an interface ACL to permit/deny and/or set transport input ssh under the vty line, with the VTY ACL to permit the source IP addresses.


HTH

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎12-26-2020 10:35 AM - edited ‎12-26-2020 10:41 AM

Hi @kirm 

Refer to the previous post, VTY lines have no IP address:-

https://community.cisco.com/t5/switching/vty-extended-acl-with-destination-address/td-p/1163772

 

Enable logging with your ACL and I'd expect to see something similar to this: %SEC-6-IPACCESSLOGP: list VTY denied tcp 192.168.10.201(1096) -> 0.0.0.0(22), 1 packet

 

If you want to control SSH to 192.168.1.254 use an interface ACL to permit/deny and/or set transport input ssh under the vty line, with the VTY ACL to permit the source IP addresses.


HTH

0 Helpful

Go to solution
kirm
Level 1
Level 1
In response to Rob Ingram

‎12-26-2020 07:17 PM

Like it says here?:

"VTY lines have no IP address so what's the benefit to include the destination?"

Very good and thank you. I've marked your answer as the accepted solution.

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9

‎12-30-2020 04:19 AM

hi,

common practice is to use standard ACL based on allowed source IP (management subnet/NMS).

 

ip access-list standard SSH_Access_Control
permit 192.168.1.0 0.0.0.255
deny any log

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card