Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6577
Views
0
Helpful
8
Replies

Access list Allow IP

hilldamanik
Level 1
Level 1

‎11-07-2015 04:08 AM - edited ‎03-05-2019 02:41 AM

Dear All Please help me..

how when I only want to allow/permit IP Address xx.xx.xx.xx / 28 (Public IP) on Router
and block all IPs coming from the internet by blocking ssh and telnet?

Please help and thanks

Labels:
0 Helpful
8 Replies 8

barnesp
Level 1
Level 1

‎11-07-2015 04:36 AM

ip access extended ACL-INTERNET-IN
 deny tcp any x.x.x.x 0.0.0.15 eq 22 23
 permit ip any any

Apply the ACL inbound on your Internet facing interface e.g.

int g0
 ip access-group ACL-INTERNET-IN in

0 Helpful

hilldamanik
Level 1
Level 1
In response to barnesp

‎11-07-2015 05:21 AM

Dear barnesp,

Thank you for the answer.
but I mean I want to block all IP addresses from the internet. and only allow ip ie:11.11.11.16/28

who can access from outside(internet).

Thank's

0 Helpful

barnesp
Level 1
Level 1
In response to hilldamanik

‎11-07-2015 05:28 AM

Try this

ip access extended ACL-INTERNET-IN
 permit tcp 11.11.11.16 0.0.0.15 host <OUTSIDE-INTERFACE-ADDRESS> eq 22 23
 deny tcp any any eq 22 23
 permit ip any any

First line allows you to manage the router.

Second line denies all other telnet or SSH.

Third line permits all other Internet traffic.

BTW - you should only use SSH as telnet more vunerable to MiM attacks.

0 Helpful

hilldamanik
Level 1
Level 1
In response to barnesp

‎11-07-2015 06:14 AM

Dear barnesp,

Thank you for the help, I will try first.

Thank's

0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to hilldamanik

‎11-07-2015 06:59 PM

If you are going to limit telnet or SSH to the router, this is easier.

access-list 10 permit 11.11.11.16 0.0.0.15  (put your IP instead)
access-list 10 deny  any log

line vty 0 4
 access-class 10 in

If you are going to limit telnet or ssh to your LAN, use barnesp configuration with a little change. You may deny other services using ssh if you use deny deny.

permit tcp 11.11.11.16 0.0.0.15 host <hosts inside your network you want to limit> eq 22 23
deny tcp any <hosts inside your network> eq 22 23
permit ip any any

Masoud

0 Helpful

hilldamanik
Level 1
Level 1
In response to Masoud Pourshabanian

‎11-13-2015 12:02 AM

Dear Masoud

I've managed to apply. Thank's very much..

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎11-07-2015 09:23 PM 

Dear All Please help me..
how when I only want to allow/permit IP Address xx.xx.xx.xx / 28 (Public IP) on Router
and block all IPs coming from the internet by blocking ssh and telnet?
Please help and thanks

Hello,

If you want to only block SSH and Telnet then better to use simpler way by allowing the required ip for giving access to devices over SSH or Telnet, And apply the acl to line vty by calling access-class.

Ex:- access-list 10 permit 11.11.11.16 0.0.0.15

Implicit deny is always there in acls..

and call this ACL under access class.

switch(config)# line vty 0 15
switch(config-line)# access-class 10 in
switch(config-line)# exit

Hope it Helps..

0 Helpful

hilldamanik
Level 1
Level 1
In response to Ganesh Hariharan

‎11-13-2015 12:04 AM

Dear Ganesh,

I've managed to apply. Thank's very much..

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card