12-26-2020 10:01 AM
Hi all,
I'm trying to limit SSH access to my router.
Router IP is 192.168.1.254
My access list for SSH:
ip access-list extended SSH_Access_Control
permit tcp 192.168.1.0 0.0.0.255 any eq 22
deny tcp any any eq 22 log
!
line vty 0 4
access-class SSH_Access_Control in
If it matters, I'm using aaa.
The above works.
In the ACL I remove this:
permit tcp 192.168.1.0 0.0.0.255 any eq 22
and add this:
permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.254 eq 22
Annnndddddd...I'm locked out of the router. Console time for me.
I'm permitting any IP in the subnet to connect to this specific router ON this specific router.
Anyone know why this doesn't work?
Thanks,
Solved! Go to Solution.
12-26-2020 10:35 AM - edited 12-26-2020 10:41 AM
Hi @kirm
Refer to the previous post, VTY lines have no IP address:-
https://community.cisco.com/t5/switching/vty-extended-acl-with-destination-address/td-p/1163772
Enable logging with your ACL and I'd expect to see something similar to this: %SEC-6-IPACCESSLOGP: list VTY denied tcp 192.168.10.201(1096) -> 0.0.0.0(22), 1 packet
If you want to control SSH to 192.168.1.254 use an interface ACL to permit/deny and/or set transport input ssh under the vty line, with the VTY ACL to permit the source IP addresses.
HTH
12-26-2020 10:35 AM - edited 12-26-2020 10:41 AM
Hi @kirm
Refer to the previous post, VTY lines have no IP address:-
https://community.cisco.com/t5/switching/vty-extended-acl-with-destination-address/td-p/1163772
Enable logging with your ACL and I'd expect to see something similar to this: %SEC-6-IPACCESSLOGP: list VTY denied tcp 192.168.10.201(1096) -> 0.0.0.0(22), 1 packet
If you want to control SSH to 192.168.1.254 use an interface ACL to permit/deny and/or set transport input ssh under the vty line, with the VTY ACL to permit the source IP addresses.
HTH
12-26-2020 07:17 PM
Like it says here?:
"VTY lines have no IP address so what's the benefit to include the destination?"
Very good and thank you. I've marked your answer as the accepted solution.
12-30-2020 04:19 AM
hi,
common practice is to use standard ACL based on allowed source IP (management subnet/NMS).
ip access-list standard SSH_Access_Control
permit 192.168.1.0 0.0.0.255
deny any log
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide