cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Community Live
14986
Views
0
Helpful
7
Replies
BashedRoot
Beginner

Restrict Cisco Switch SSH Access to IPs

I thought I had IP restrictions set to my 3750G Cisco switch to my single IP, but I just accessed it from another IP and was able to get in. Not sure what's configured wrong here.

Cisco3750#show ip access-list
Extended IP access list Manage-SSH
    10 permit tcp host xx.xxx.158.114 host 0.0.0.0 eq 22
Cisco3750# show running-config
ip access-list extended Manage-SSH
 permit tcp host xx.xxx.158.114 host 0.0.0.0 eq 22
!

I want to update the IP and make sure it's truly restricted to one single IP. Any ideas?

7 REPLIES 7
johnd2310
Collaborator

Hi,

You just need an access-list that allows your  host and apply the access-list to the vty lines

access-list 1 permit host x.x.x.x

line vty 0 4

access-class 1 in

Thanks

John

**Please rate posts you find helpful**

Thank you but how do I restrict access to the switch via SSH to only my IP address? I was able to access from another IP before despite the access list (I posted in my OP).

HI,

In your switch configuration, what access-list have you applied to line vty 0 4?

Thanks

John

**Please rate posts you find helpful**

Thanks I think I got it. Just curious, though I still see my IP under "Extended IP access list Manage-SSH". What is this feature and how do I clear it? Cisco's documents are overwhelming sometimes. So in the end, I want to restrict complete access to the switch to one (or two) IPs, mine and deny any other access attempts not from my IPs.

Where is access-list Manage-SSH applied? You can still use access-list Manage-SSH to control traffic to your switch but this depends on where the access-list is applied.

You can delete entries in access-list Manage-SSH as follows:

ip access-list extended Manage-SSH

  no permit tcp host xx.xxx.158.114 host 0.0.0.0 eq 22

Thanks 

John

**Please rate posts you find helpful**

Hey I'm going out of the country for a few days and need to be able to access my Cisco switch from any IP. How do I enable any IP access? Right now I have the following. Thank you.

Cisco3750#show ip access-list
Standard IP access list 1
    10 permit xxx.xxx.200.254
    20 permit xxx.xxx.198.134
Extended IP access list 115
    10 permit tcp host xxx.xxx.33.6 host 0.0.0.0 eq 22
Extended IP access list Manage-SSH
    10 permit tcp host xxx.xxx.198.134 host 0.0.0.0 eq 22 (18 matches)
    20 permit tcp host xxx.xxx.33.6 host 0.0.0.0 eq 22 (2 matches)

Hello,

There are two ways to limit SSH connection.

1-The way you are trying to do.

ip access-list extended Manage-SSH

permit tcp host [Remote IP,(yours)] host [swith IP] eq 22

deny tcp any any eq 22

You need to apply it IN direction

interface vlan X

ip access-group Manage-SSH in

2- John mentioned it. By using access-class under line vty

Hope it helps,

Masoud