line vty 4400

curtmcgirt · ‎01-13-2021

i have a 2921 router and a 4431 router. both of them have the vty config below.

line vty 5 15
session-timeout 5
access-class Internal in (the 4431 has a "vrf-also" here)
exec-timeout 5 0
transport input ssh

Standard IP access list Internal
10 permit 10.0.0.0 0.255.255.255 log
99 deny any

if i try to ssh (putty) from an ip outside of the 10 subnet to the 2921, it doesn't even connect. "network error: connection refused." this is what i want. but if i try to ssh to the 4431 from an ip outside of the 10 subnet, i get prompted for credentials and then i get Access Denied when i put in correct credentials. and a failed login is logged as "reason: login authentication failed." if i ssh from inside the 10 subnet, i can connect.

why do these behave differently with the same config? is there a feature/benefit/"upgrade" i'm not seeing? do i have to put an access list on each router interface on the 4431 denying tcp 22 to its IP address if i don't even want it to entertain ssh logins? (there are no such access lists on the interfaces of the 2921)

curtmcgirt · ‎01-21-2021

ping?

Seb Rupik · ‎01-21-2021

Hi there,

What does line vty 0 4 look like on the ISR4431? Is the access-class command present?

cheers,

Seb.

curtmcgirt · ‎01-21-2021

line vty 0 4 is not there at all.

Seb Rupik · ‎01-22-2021

Strange, but I don't have one to confirm the oncifg. This page suggests it should be present in the config:

https://www.cisco.com/c/en/us/td/docs/routers/access/4400/software/configuration/guide/isr4400swcfg/bm_isr_4400_sw_config_guide_chapter_0110.html#concept_727815457FF24EFA84721036571707C7

Can you try the following config commands:

!
line vty 0 4
 session-timeout 5
 access-class Internal in vrf-also
 exec-timeout 5 0
 transport input ssh
!

Does it appear in the running config?

cheers,

Seb.