08-19-2013 09:52 PM - edited 03-04-2019 08:49 PM
Hi
I have a simple question, but it is hard for me now.
I have configuration:
ip access-list standard noLogin
permit 10.10.10.10 log
deny any log
line vty 0 4
access-class noLogin in -> I have also test with extended list
transport prefer ssh
transport input ssh
if I do not have this access-class, I can ssh into the box from other machine,
if I do has this statement, I can not login any more, but the show access-list show there is packets machine the line one (permit 10.10.10.10 log).
the trace log on unix machine shows box sent {RST, ACK} all the time,
but, if I do remove the access-class, not I can ssh through managment port, but also public port also.
is there some tip I missed? how can I allow only people to loggin? does the asr1000 different? or something wrong on my configuration?
any comments appreciated
thanks in advance
julxu
Solved! Go to Solution.
08-19-2013 10:15 PM
Are you using VRFs? If so, try access-class noLogin in vrf-also.
Regards,
Mike
Sent from Cisco Technical Support Android App
08-20-2013 06:48 AM
You apply it in the vty section like normal, you just add the vrf-also tag at the end.
line vty 0 15
access-class noLogin in vrf-also
You can refer to the command documentation here:
http://www.cisco.com/en/US/docs/ios/12_2/ipaddr/command/reference/1rfip1.html#wp1017389
By default, the vty access-class only processes for the global routing table, not for any VRFs. Since the ASR comes with a management port on a management VRF by default, you will need this syntax for it to work.
Regards,
Mike
08-19-2013 10:15 PM
Are you using VRFs? If so, try access-class noLogin in vrf-also.
Regards,
Mike
Sent from Cisco Technical Support Android App
08-19-2013 10:47 PM
thanks Mike
please advice how do I do it? or docs?
on default vrf, I have not see access-class command
julxu
08-19-2013 11:05 PM
ip access-list extended nologin
permit ip host 10.10.10.x any (alllow single host here)
deny ip any any
apply that
***Do Rate All Helpful Posts***
Jawad
08-19-2013 11:11 PM
Jawad
this is only the access-list, which already existed.
the problem is I can not find in vrf where I can apply the access-list.
if you know, please advice
julxu
08-20-2013 06:48 AM
You apply it in the vty section like normal, you just add the vrf-also tag at the end.
line vty 0 15
access-class noLogin in vrf-also
You can refer to the command documentation here:
http://www.cisco.com/en/US/docs/ios/12_2/ipaddr/command/reference/1rfip1.html#wp1017389
By default, the vty access-class only processes for the global routing table, not for any VRFs. Since the ASR comes with a management port on a management VRF by default, you will need this syntax for it to work.
Regards,
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide