02-13-2020 01:03 PM - edited 02-21-2020 09:55 AM
All,
I have an ASR920 for internet routing. Management interface is on the inside and I have an ACL applied to lines 0-5 on VTY and applying to that Mgmt-VRF. This is working just fine for internal management access. I would also like to allow VTY access from a specific host address coming from the internet. Would I just create another ACL with that host address specified and apply that ACL to VTY lines 5 10 and leave the current on lines 0 5 with the mgmt-vrf acl or what is the best way to achieve this?
Current:
line vty 0 5
access-class VTY-Access in vrfname Mgmt-intf
exec-timeout 180 0
transport input ssh
transport output ssh
02-13-2020 08:00 PM
02-14-2020 05:37 AM
The Mgmt interface and Mgmt-int VRF are on the inside network. The ACL is applied to the VRF and there is no access to that interface from the outside. Putting in place another ACL for VTY access from the outside is more of a backup in case there is something I need to do on the routers from home and do not have the ability to VPN into the network. The one host is a static IP from my home office. It isn't necessary that I have it in place. I've never had a situation where the VPN was not available.
Probably not necessary but I wanted to see the options.
Thanks for the response.
02-13-2020 09:24 PM
Hi,
That will not work
The best option is always to use a vpn. The vpn will need to be authenticated, audited and you can control what can be accessed from once authenticated.
Thanks
John
02-14-2020 05:38 AM
Thanks for the response. I was just looking for any options if I did want to do this. The VPN is the obvious and best method.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide