Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
28011
Views
15
Helpful
5
Replies

Restrict VTY - SSH access to a specific IP

Go to solution
chrissnop
Level 1
Level 1

‎08-25-2016 07:08 PM - edited ‎03-05-2019 04:34 AM

Hello guys, how to restrict VTY access to a specific IP?

For example:

- Allow access from the private or local network

- Allow access from a specific Public IP

Is this doable?

I'm following this link: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configurat...

But I can only do from the command below:

Router(config)# access-list 1 permit 172.16.0.0 0.0.255.255
Router(config)# line vty 5 10

Is the above command sufficient enough to restrict vty access?

Thanks for any help. :)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jonathan Unger
Level 7
Level 7
In response to chrissnop

‎08-25-2016 11:04 PM

Hi Chris,

Make sure to enter the vty line config mode (line vty 015) before applying the access-class command.

Here is an example of the whole thing put together (access-list and vty line config).

router1(config)#access-list 1 permit 172.16.0.0 0.0.255.255
router1(config)#line vty 0 15
router1(config-line)#access-class 1 in

There is an implicit deny at the end of every ACL so there is no need to manually set a deny entry (although it won't break anything if you do add a deny entry at the end).

View solution in original post

5 Replies 5

Go to solution
Jonathan Unger
Level 7
Level 7

‎08-25-2016 09:52 PM

Hi There,

You are almost all of the way there. You have already have your access list, now you just need to apply it to the VTY lines with the following commands (as listed in the link you posted in this section).

line vty 015

access-class 1 in


The "access-class 1 in" command links your access list to the ACL you created earlier.



I would recommend configuring all of the VTY lines (0 to 15) with one command so they are all consistent.



You can add a specific public IP address to your access list with the following command:

access-list 1 permit host x.x.x.x



Does that answer your question?

Go to solution
chrissnop
Level 1
Level 1
In response to Jonathan Unger

‎08-25-2016 10:47 PM

So it will be something like this:

Router(config)#access-class 1 in

Router(config)#line vty 0 15


Router(config)#access-list 1 permit 172.16.0.0 0.0.255.255

Router(config)#access-list 1 deny any

Do I need to set the deny? or no need? I don't want other IPs to connect.

Thank you. 

0 Helpful

Go to solution
Jonathan Unger
Level 7
Level 7
In response to chrissnop

‎08-25-2016 11:04 PM

Hi Chris,

Make sure to enter the vty line config mode (line vty 015) before applying the access-class command.

Here is an example of the whole thing put together (access-list and vty line config).

router1(config)#access-list 1 permit 172.16.0.0 0.0.255.255
router1(config)#line vty 0 15
router1(config-line)#access-class 1 in

There is an implicit deny at the end of every ACL so there is no need to manually set a deny entry (although it won't break anything if you do add a deny entry at the end).

Go to solution
chrissnop
Level 1
Level 1
In response to Jonathan Unger

‎08-26-2016 12:17 AM

Hi Jonathan, thank you.

I will try it out and update this post.

0 Helpful

Go to solution
ddesai
Level 1
Level 1
In response to chrissnop

‎08-04-2023 02:57 PM

thanks but following command does not work

access-list 110 deny tcp PUBLIC IP host switch ip eq 22

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card