01-13-2021 03:01 PM
i have a 2921 router and a 4431 router. both of them have the vty config below.
line vty 5 15
session-timeout 5
access-class Internal in (the 4431 has a "vrf-also" here)
exec-timeout 5 0
transport input ssh
Standard IP access list Internal
10 permit 10.0.0.0 0.255.255.255 log
99 deny any
if i try to ssh (putty) from an ip outside of the 10 subnet to the 2921, it doesn't even connect. "network error: connection refused." this is what i want. but if i try to ssh to the 4431 from an ip outside of the 10 subnet, i get prompted for credentials and then i get Access Denied when i put in correct credentials. and a failed login is logged as "reason: login authentication failed." if i ssh from inside the 10 subnet, i can connect.
why do these behave differently with the same config? is there a feature/benefit/"upgrade" i'm not seeing? do i have to put an access list on each router interface on the 4431 denying tcp 22 to its IP address if i don't even want it to entertain ssh logins? (there are no such access lists on the interfaces of the 2921)
01-21-2021 12:21 PM
ping?
01-21-2021 03:02 PM
Hi there,
What does line vty 0 4 look like on the ISR4431? Is the access-class command present?
cheers,
Seb.
01-21-2021 03:05 PM
line vty 0 4 is not there at all.
01-22-2021 01:45 AM - edited 01-22-2021 01:45 AM
Strange, but I don't have one to confirm the oncifg. This page suggests it should be present in the config:
Can you try the following config commands:
! line vty 0 4 session-timeout 5 access-class Internal in vrf-also exec-timeout 5 0 transport input ssh !
Does it appear in the running config?
cheers,
Seb.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide