Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
247
Views
0
Helpful
2
Replies

SSH revisited.......

Go to solution
DAVID RICHWALSKI
Level 1
Level 1

‎11-01-2016 09:09 AM - edited ‎03-05-2019 07:23 AM

I have Cisco Router that I need to access BOTH Internal and External...

I run SSH 2.0 only.............

I run SSH on a non-standard port lets say port 4232

This is what I have......

ip ssh authentication-retries 5
ip ssh port 4232 rotary 1
ip ssh logging events
ip ssh version 2

line vty 0 4
exec-timeout 20 0
privilege level 15
password 7 xxxxxxxxxxxxxxxx
login authentication local_auth
rotary 1
transport preferred ssh
transport input ssh
transport output ssh

The ACL is on the External Interface-Internet

access-list 101 remark ---SSH---
access-list 101 permit tcp any any eq 4232 log

Right now I can access BOTH internal and external-internet........but the port shows "OPEN" when I do a port scan...

Question: If I change the ACL to.....  

access-list 101 permit tcp any eq 4232 any log

Will I still have external-internet access without it showing as "OPEN" in a port scan?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
johnd2310
Level 8
Level 8

‎11-01-2016 06:24 PM

Hi,

What are you trying to achieve? "access-list 101 permit tcp any any eq 4232 log" means you can access tcp port 4232 from any ip address. "access-list 101 permit tcp any eq 4232 any log" means you can access any tcp port from any ip address sourcing traffic from port 4232. You second access list will work but only if the source port is 4232.First access list is the ideal configuration white the second access list is not really practical because you have to specify or control the source port.

With respect to scanning, you will always get "OPEN" if that port is listening.

Hope this helps

John

**Please rate posts you find helpful**

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Georg Pauwen
VIP
VIP

‎11-01-2016 01:11 PM

Not sure if I understand your question correctly. Which port scanner are you using ?

0 Helpful

Go to solution
johnd2310
Level 8
Level 8

‎11-01-2016 06:24 PM

Hi,

What are you trying to achieve? "access-list 101 permit tcp any any eq 4232 log" means you can access tcp port 4232 from any ip address. "access-list 101 permit tcp any eq 4232 any log" means you can access any tcp port from any ip address sourcing traffic from port 4232. You second access list will work but only if the source port is 4232.First access list is the ideal configuration white the second access list is not really practical because you have to specify or control the source port.

With respect to scanning, you will always get "OPEN" if that port is listening.

Hope this helps

John

**Please rate posts you find helpful**
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card