Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2661
Views
0
Helpful
4
Replies

VTY Access Mgmt-vrf and External

darkmallrat
Level 1
Level 1

‎02-13-2020 01:03 PM - edited ‎02-21-2020 09:55 AM

All,

I have an ASR920 for internet routing. Management interface is on the inside and I have an ACL applied to lines 0-5 on VTY and applying to that Mgmt-VRF. This is working just fine for internal management access. I would also like to allow VTY access from a specific host address coming from the internet. Would I just create another ACL with that host address specified and apply that ACL to VTY lines 5 10 and leave the current on lines 0 5 with the mgmt-vrf acl or what is the best way to achieve this?

 

Current:

line vty 0 5
access-class VTY-Access in vrfname Mgmt-intf
exec-timeout 180 0
transport input ssh
transport output ssh

 

 

0 Helpful
4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

‎02-13-2020 08:00 PM

Hi

Not sure i get it right.
This management subnet has already access to Internet? If so you want to authorize 1 host to be able to access it?

I believe you have a firewall filtering this access and doing nat.
Why not using your actual acl to add this public host?

If you want to dedicate a specific line to avoid multiple connections, you can assign it to a line and use the rotary command to make ssh listen to a specific port that will be used from the remote host instead of the default port.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

darkmallrat
Level 1
Level 1
In response to Francesco Molino

‎02-14-2020 05:37 AM

The Mgmt interface and Mgmt-int VRF are on the inside network. The ACL is applied to the VRF and there is no access to that interface from the outside. Putting in place another ACL for VTY access from the outside is more of a backup in case there is something I need to do on the routers from home and do not have the ability to VPN into the network. The one host is a static IP from my home office. It isn't necessary that I have it in place. I've never had a situation where the VPN was not available.

 

Probably not necessary but I wanted to see the options. 

 

Thanks for the response.

 

 

0 Helpful

johnd2310
Level 8
Level 8

‎02-13-2020 09:24 PM

Hi,

That will not work

  1. The management interface is in a separate vrf. How do you route to that vrf?
  2. How are you planning to force the Internet user to use lines 5 10?

The best option is always to use a vpn. The vpn will need to be authenticated, audited and you can control what can be accessed from once authenticated.

Thanks

John

**Please rate posts you find helpful**
0 Helpful

darkmallrat
Level 1
Level 1
In response to johnd2310

‎02-14-2020 05:38 AM

Thanks for the response. I was just looking for any options if I did want to do this. The VPN is the obvious and best method.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card