cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5280
Views
2
Helpful
5
Replies

need to block ssh in one interface 2900 router

manojkulk
Level 1
Level 1

Route 2900, I need to block ssh in one interface Please Help me

5 Replies 5

Samil Lama
Level 1
Level 1

Hello Manoj,

This could be done with ACL, and it should not go on an interface, it should be applied on the VTY lines.

For example if you only want to allow SSH access from 172.16.1.0/24 and block other requests (like Telnet) try the following.

R1(config)#ip access-list extended VTY_ACCESS
R1(config-ext-nacl)#10 permit tcp 172.16.1.0 0.0.0.255 any eq 22
R1(config-ext-nacl)#500 deny ip any any log

R1(config-ext-nacl)#line vty 0 4
R1(config-line)#access-class VTY_ACCESS in
R1(config-line)#end
R1#

The way you are asking is possible too, you could try the following:

R1(config)#ip access-list extended VTY_ACCESS
R1(config-ext-nacl)#10 deny tcp any any eq 22
R1(config-ext-nacl)#20 permit ip any any

R1(config-ext-nacl)#interface

R1(config-if)#ip access-group VTY_ACCESS in
R1(config-if)#end
R1#

  This would block all SSH requests entering the interface where it's been applied.

  Regards.

Please don't forget to rate helpful posts.

I am tring with second commnad line. it is taken but it not blocking ssh or tell net so please help me about this.

Hi,

For example, suppose you want to block ssh on f0/0( with IP address x.x.x.x )

ip access-list extended NO_SSH

deny tcp any  host x.x.x.x eq ssh

permit ip any any

int f0/0

ip access-group NO_SSH in

Rem: don't forget to add other IPs on the router in deny statements before the permit ip any any

other solution:

let's suppose IP subnet coming into f0/0 is 10.0.0.0/24

access-list 1 deny 10.0.0.0 0.0.0.255

access-list 1 permit any

line vty 0 4

access-class 1 in

The same remark is applicable for this solution.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

I used these all commands but it is not blocking ssh or some time it will block internet. Please do need full.

Manoj,

Can you please provide us the configuration of your device?

Regards

Inayath

Review Cisco Networking for a $25 gift card