cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4173
Views
10
Helpful
3
Replies

SSH to a specific host IP

kirm
Level 1
Level 1

Hi all,

I'm trying to limit SSH access to my router.

Router IP is 192.168.1.254

 

My access list for SSH:

 

ip access-list extended SSH_Access_Control
permit tcp 192.168.1.0 0.0.0.255 any eq 22
deny tcp any any eq 22 log

!

line vty 0 4
access-class SSH_Access_Control in

 

If it matters, I'm using aaa.

 

The above works.

 

In the ACL I remove this:

permit tcp 192.168.1.0 0.0.0.255 any eq 22

and add this:

permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.254 eq 22

Annnndddddd...I'm locked out of the router. Console time for me.

 

I'm permitting any IP in the subnet to connect to this specific router ON this specific router.

 

Anyone know why this doesn't work?

 

Thanks,

1 Accepted Solution

Accepted Solutions

Hi @kirm 

Refer to the previous post, VTY lines have no IP address:-

https://community.cisco.com/t5/switching/vty-extended-acl-with-destination-address/td-p/1163772

 

Enable logging with your ACL and I'd expect to see something similar to this: %SEC-6-IPACCESSLOGP: list VTY denied tcp 192.168.10.201(1096) -> 0.0.0.0(22), 1 packet

 

If you want to control SSH to 192.168.1.254 use an interface ACL to permit/deny and/or set transport input ssh under the vty line, with the VTY ACL to permit the source IP addresses.


HTH

View solution in original post

3 Replies 3

Hi @kirm 

Refer to the previous post, VTY lines have no IP address:-

https://community.cisco.com/t5/switching/vty-extended-acl-with-destination-address/td-p/1163772

 

Enable logging with your ACL and I'd expect to see something similar to this: %SEC-6-IPACCESSLOGP: list VTY denied tcp 192.168.10.201(1096) -> 0.0.0.0(22), 1 packet

 

If you want to control SSH to 192.168.1.254 use an interface ACL to permit/deny and/or set transport input ssh under the vty line, with the VTY ACL to permit the source IP addresses.


HTH

Like it says here?:

"VTY lines have no IP address so what's the benefit to include the destination?"

Very good and thank you. I've marked your answer as the accepted solution.

johnlloyd_13
Level 9
Level 9

hi,

common practice is to use standard ACL based on allowed source IP (management subnet/NMS).

 

ip access-list standard SSH_Access_Control
permit 192.168.1.0 0.0.0.255
deny any log

 

Review Cisco Networking for a $25 gift card