cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
200
Views
0
Helpful
2
Replies

SSH revisited.......

I have Cisco Router that I need to access BOTH Internal and External...

I run SSH 2.0 only.............

I run SSH on a non-standard port lets say port 4232

This is what I have......

ip ssh authentication-retries 5
ip ssh port 4232 rotary 1
ip ssh logging events
ip ssh version 2

line vty 0 4
exec-timeout 20 0
privilege level 15
password 7 xxxxxxxxxxxxxxxx
login authentication local_auth
rotary 1
transport preferred ssh
transport input ssh
transport output ssh

The ACL is on the External Interface-Internet

access-list 101 remark ---SSH---
access-list 101 permit tcp any any eq 4232 log

Right now I can access BOTH internal and external-internet........but the port shows "OPEN" when I do a port scan...

Question: If I change the ACL to.....  

access-list 101 permit tcp any eq 4232 any log

Will I still have external-internet access without it showing as "OPEN" in a port scan?

1 Accepted Solution

Accepted Solutions

johnd2310
Level 8
Level 8

Hi,

What are you trying to achieve? "access-list 101 permit tcp any any eq 4232 log" means you can access tcp port 4232 from any ip address. "access-list 101 permit tcp any eq 4232 any log" means you can access any tcp port from any ip address sourcing traffic from port 4232. You second access list will work but only if the source port is 4232.First access list is the ideal configuration white the second access list is not really practical because you have to specify or control the source port.

With respect to scanning, you will always get "OPEN" if that port is listening.

Hope this helps

John

**Please rate posts you find helpful**

View solution in original post

2 Replies 2

Not sure if I understand your question correctly. Which port scanner are you using ?

johnd2310
Level 8
Level 8

Hi,

What are you trying to achieve? "access-list 101 permit tcp any any eq 4232 log" means you can access tcp port 4232 from any ip address. "access-list 101 permit tcp any eq 4232 any log" means you can access any tcp port from any ip address sourcing traffic from port 4232. You second access list will work but only if the source port is 4232.First access list is the ideal configuration white the second access list is not really practical because you have to specify or control the source port.

With respect to scanning, you will always get "OPEN" if that port is listening.

Hope this helps

John

**Please rate posts you find helpful**
Review Cisco Networking for a $25 gift card