I have an ASR920 for internet routing. Management interface is on the inside and I have an ACL applied to lines 0-5 on VTY and applying to that Mgmt-VRF. This is working just fine for internal management access. I would also like to allow VTY access from a specific host address coming from the internet. Would I just create another ACL with that host address specified and apply that ACL to VTY lines 5 10 and leave the current on lines 0 5 with the mgmt-vrf acl or what is the best way to achieve this?
line vty 0 5
access-class VTY-Access in vrfname Mgmt-intf
exec-timeout 180 0
transport input ssh
transport output ssh
The Mgmt interface and Mgmt-int VRF are on the inside network. The ACL is applied to the VRF and there is no access to that interface from the outside. Putting in place another ACL for VTY access from the outside is more of a backup in case there is something I need to do on the routers from home and do not have the ability to VPN into the network. The one host is a static IP from my home office. It isn't necessary that I have it in place. I've never had a situation where the VPN was not available.
Probably not necessary but I wanted to see the options.
Thanks for the response.
That will not work
The best option is always to use a vpn. The vpn will need to be authenticated, audited and you can control what can be accessed from once authenticated.