08-07-2014 05:29 AM - edited 03-04-2019 11:30 PM
Hello,
I have a router with an interface pointed outside. My goal is to put an ACL in place that blocks all SSH traffic except SSH coming from inside the network. Here is what I came up with. I would then apply this to the VTY lines coming IN. Would this be appropriate for what I'm trying to do or is there a better way?
Thanks for any feedback.
It would be an extended ACL
permit tcp 10.43.0.0 0.0.255.255 host 69.X.X.X eq 22
deny ip any host 69.X.X.X eq 22
permit ip any any
08-07-2014 07:02 AM
Apply an 'access-group', allowing only your LAN, on the vty line ...
-Brj
08-07-2014 09:00 AM
A standard access-list would suffice for VTY access-class. There's no need to go overboard with extended ACLs matching protocols.
ip access-list standard vty-in
permit 10.43.0.0 0.0.255.255
deny any log
!
line vty 0 4 (or last line, that may differ)
transport input ssh
access-class vty-in in vrf-also <-- vrf-also is optional, but suggested to have OOB managment
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide