Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
44758
Views
35
Helpful
9
Replies

Access-list for no ssh/telnet access

Patrick McHenry
Level 4
Level 4

‎06-25-2012 10:58 AM - edited ‎03-04-2019 04:47 PM

Hi,

I want to deny telnet and ssh access to a outside router interface but, allow ssh to other inside interfaces. How do I go about doing that with cli?

Thansk, Pat.

1 person had this problem
Labels:
0 Helpful
9 Replies 9

smehrnia
Level 7
Level 7

‎06-25-2012 12:26 PM

hi,

access-list 105 deny tcp any host [10.10.10.1 interface ip] eq 23

access-list 105 permit ip any any

then apply it to the input direction of the interface you expect traffic comming in to be denied.

exmple:

int f0/0

ip access-group 105 in

Hope it Helps,

Soroush.

Hope it Helps!

Soroush.

nathanaelminesso
Level 1
Level 1

‎06-25-2012 12:37 PM

Hi Pat,

You can create an extended, named access list with two deny sequences and then ad a permit any any sequence at the end. Once you have done that you can apply it inbound to the router interface you want.

Example:

conf t

ip access-list extended Marsupilami

deny 5 tcp any any eq telnet

deny 10 (blablabla)

permit 15 (blablabla)

exit

Interface (your interface)
 ip access-group Marsupilami in
 end

You can also have a look at the link below which explains everything in detail.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
Regards,
Nate

Richard Burts
Hall of Fame
Hall of Fame

‎06-25-2012 12:39 PM

Pat

I am not clear what you are trying to achieve. It sort of sounds like if the router had outside interface of FastEth0/0 and inside interface of FastEth0/1 that you want to deny telnet and SSH to the address of FastEth0/0 and permit access to the address of FastEth0/1. If that is the case then a config something like this would do it"

interface fasteth0/0

ip address 100.100.100.1 255.255.255.128

ip access-group 151 in

interface fasteth0/1

ip address 192.168.100.1 255.255.255.0

ip access-group 151 in

access-list 151 deny tcp any host 100.100.100.1 eq 22

access-list 151 deny tcp any host 100.100.100.1 eq 23

access-list 151 permit ip any any

Note that to be effective this access list needs to be applied to each interface.

But I do not see many people with requirements to restrict access based on destination interface and find that most people have requirements that restrict access based on where the access originates. If that is what you want to achieve than a configuration sort of like this should work

access-list 66 permit 192.168.100.0 0.0.0.255

access-list 66 deny any

line vty 0 4

access-class 66 in

note that this uses a standard access list rather than an extended access list and that the access list is applied to the vty using access-class and not to interfaces using ip access-group.

HTH

Rick

HTH

Rick

Patrick McHenry
Level 4
Level 4
In response to Richard Burts

‎06-25-2012 01:41 PM

I want to permit ssh acces from the inside interface but, deny ssh acces from the outside interface that faces the Internet.

Thanks, Pat.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Patrick McHenry

‎06-25-2012 05:27 PM

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

You want to block all telnet or SSH entering the router's outside interface, or just to the outside interface, or just to this router?  Also what about telnet or SSH exiting the router's outside interface? You want to block all such traffic, just traffic being source from the outside interface or any traffic sourced from the router?

PS:

BTW, I believe, blocking SSH will also block SCP.

Patrick McHenry
Level 4
Level 4
In response to Joseph W. Doherty

‎06-26-2012 04:27 AM

I want to stop anyone from trying to log into the router from the outside. As it is now someone can ssh into the router from the Internet. As far as I know the router will only be used to send and receive secure web traffic for authenticationg remote users as they set up their 881s via MEVO but, there might be more I am not 100% sure. If secure web is all I need then, maybe I should block everything but secure web. What I definately want to do is stop anyone from attempting an ssh connection through the public address. Kind of inexperianced with security.

Thanks, Pat.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Patrick McHenry

‎06-26-2012 04:33 AM

Hi Patrick,

in this case you can choose Rick solution with the access-class on the vty lines.

Regards.

Alain.

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Vinay1991
Level 1
Level 1

‎10-27-2024 06:18 AM

Can get help

for block ssh wan port from inside and outside

wan port 0/0

lan port 0/1

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to Vinay1991

‎10-27-2024 04:34 PM

Hi,

 Easiest way, if you don't want ANY ssh access on the box, just disable SSH by specifying a non-existing RSA key-pair via command "ip ssh rsa keypair-name UNDEFINED".

  Otherwise, if you do want to allow SSH access from specific boxes only, do the following:

ip access-list extended FILTER
  permit tcp host SSH_CLIENT_IP host ROUTER_IP eq 22
  deny tcp any host ROUTER_IP eq 22
  permit ip any any
!
interface WAN
 ip access-group FILTER in
!
interface LAN
 ip access-group FILTER in

 Best,

Cristian.

0 Helpful
Customers Also Viewed These Support Documents
Top