I need to secure my routers by only allowing certain hosts on my internal network to access. I use SSH. I have tried using acl's but connection is refused when I set line vty 0 4 to use the access-class # in command.

Can someone be so kind to show me the errors I am making? These are all external facing routers with external IP's. I am NAT'd behind a firewall.

Example:

access-list 101 permit tcp host myinternalipaddress host myexternalipaddress eq 22
access-list 101 permit tcp host myinternalipaddress host myexternalipaddress eq 22
access-list 101 permit tcp host myinternalipaddress host myexternalipaddress eq 22
access-list 101 permit tcp host myinternalipaddress host myexternalipaddress eq 22
access-list 101 permit tcp host myinternalipaddress host myexternalipaddress eq 22

!
interface FastEthernet0/0
ip address myexternalipaddress 255.255.255.248
no ip redirects
no ip unreachables
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation frame-relay IETF
no ip mroute-cache
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
ip unnumbered FastEthernet0/0
no arp frame-relay
frame-relay interface-dlci 500
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!

line vty 0 4
session-timeout 30
login local
access-class 101 in
transport input ssh
transport output none

!

Thanks in advance for your assistance.