cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
186
Views
0
Helpful
4
Replies
Highlighted
Beginner

VTY Access Mgmt-vrf and External

All,

I have an ASR920 for internet routing. Management interface is on the inside and I have an ACL applied to lines 0-5 on VTY and applying to that Mgmt-VRF. This is working just fine for internal management access. I would also like to allow VTY access from a specific host address coming from the internet. Would I just create another ACL with that host address specified and apply that ACL to VTY lines 5 10 and leave the current on lines 0 5 with the mgmt-vrf acl or what is the best way to achieve this?

 

Current:

line vty 0 5
access-class VTY-Access in vrfname Mgmt-intf
exec-timeout 180 0
transport input ssh
transport output ssh

 

 

4 REPLIES 4
Highlighted
VIP Advisor

Re: VTY Access Mgmt-vrf and External

Hi

Not sure i get it right.
This management subnet has already access to Internet? If so you want to authorize 1 host to be able to access it?

I believe you have a firewall filtering this access and doing nat.
Why not using your actual acl to add this public host?

If you want to dedicate a specific line to avoid multiple connections, you can assign it to a line and use the rotary command to make ssh listen to a specific port that will be used from the remote host instead of the default port.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted
Beginner

Re: VTY Access Mgmt-vrf and External

The Mgmt interface and Mgmt-int VRF are on the inside network. The ACL is applied to the VRF and there is no access to that interface from the outside. Putting in place another ACL for VTY access from the outside is more of a backup in case there is something I need to do on the routers from home and do not have the ability to VPN into the network. The one host is a static IP from my home office. It isn't necessary that I have it in place. I've never had a situation where the VPN was not available.

 

Probably not necessary but I wanted to see the options. 

 

Thanks for the response.

 

 

Highlighted
Collaborator

Re: VTY Access Mgmt-vrf and External

Hi,

That will not work

  1. The management interface is in a separate vrf. How do you route to that vrf?
  2. How are you planning to force the Internet user to use lines 5 10?

The best option is always to use a vpn. The vpn will need to be authenticated, audited and you can control what can be accessed from once authenticated.

Thanks

John

**Please rate posts you find helpful**
Beginner

Re: VTY Access Mgmt-vrf and External

Thanks for the response. I was just looking for any options if I did want to do this. The VPN is the obvious and best method.