Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1249
Views
0
Helpful
5
Replies

asr1004 access list

Go to solution
julxu
Level 1
Level 1

‎08-19-2013 09:52 PM - edited ‎03-04-2019 08:49 PM

Hi

I have a simple question, but it is hard for me now.

I have configuration:

ip access-list standard noLogin

permit 10.10.10.10 log

deny any log

line vty 0 4

access-class noLogin in   -> I have also test with extended list

transport prefer ssh

transport input ssh

if I do not have this access-class, I can ssh into the box from other machine,

if I do has this statement, I can not login any more, but the show access-list show there is packets machine the line one (permit 10.10.10.10 log).

the trace log on unix machine shows box sent {RST, ACK} all the time,

but, if I do remove the access-class, not I can ssh through managment port, but also public port also.

is there some tip I missed? how can I allow only people to loggin? does the asr1000 different? or something wrong on my configuration?

any comments appreciated

thanks in advance

julxu

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mike Williams
Level 5
Level 5

‎08-19-2013 10:15 PM

Are you using VRFs? If so, try access-class noLogin in vrf-also.

Regards,
Mike

Sent from Cisco Technical Support Android App

View solution in original post

0 Helpful

Go to solution
Mike Williams
Level 5
Level 5
In response to Mike Williams

‎08-20-2013 06:48 AM

You apply it in the vty section like normal, you just add the vrf-also tag at the end.

line vty 0 15

  access-class noLogin in vrf-also

You can refer to the command documentation here:

http://www.cisco.com/en/US/docs/ios/12_2/ipaddr/command/reference/1rfip1.html#wp1017389

By default, the vty access-class only processes for the global routing table, not for any VRFs. Since the ASR comes with a management port on a management VRF by default, you will need this syntax for it to work.

Regards,

Mike

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Mike Williams
Level 5
Level 5

‎08-19-2013 10:15 PM

Are you using VRFs? If so, try access-class noLogin in vrf-also.

Regards,
Mike

Sent from Cisco Technical Support Android App

0 Helpful

Go to solution
julxu
Level 1
Level 1
In response to Mike Williams

‎08-19-2013 10:47 PM

thanks Mike

please advice how do I do it? or docs?

on default vrf, I have not see access-class command

julxu

0 Helpful

Go to solution
jawad-mukhtar
Level 4
Level 4
In response to julxu

‎08-19-2013 11:05 PM

ip access-list extended nologin

permit ip host 10.10.10.x any (alllow single host here)

deny ip any any

apply that

***Do Rate All Helpful Posts***

Jawad

Jawad
0 Helpful

Go to solution
julxu
Level 1
Level 1
In response to jawad-mukhtar

‎08-19-2013 11:11 PM

Jawad

this is only the access-list, which already existed.

the problem is I can not find in vrf where I can apply the access-list.

if you know, please advice

julxu

0 Helpful

Go to solution
Mike Williams
Level 5
Level 5
In response to Mike Williams

‎08-20-2013 06:48 AM

You apply it in the vty section like normal, you just add the vrf-also tag at the end.

line vty 0 15

  access-class noLogin in vrf-also

You can refer to the command documentation here:

http://www.cisco.com/en/US/docs/ios/12_2/ipaddr/command/reference/1rfip1.html#wp1017389

By default, the vty access-class only processes for the global routing table, not for any VRFs. Since the ASR comes with a management port on a management VRF by default, you will need this syntax for it to work.

Regards,

Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card