11-01-2016 09:09 AM - edited 03-05-2019 07:23 AM
I have Cisco Router that I need to access BOTH Internal and External...
I run SSH 2.0 only.............
I run SSH on a non-standard port lets say port 4232
This is what I have......
ip ssh authentication-retries 5
ip ssh port 4232 rotary 1
ip ssh logging events
ip ssh version 2
line vty 0 4
exec-timeout 20 0
privilege level 15
password 7 xxxxxxxxxxxxxxxx
login authentication local_auth
rotary 1
transport preferred ssh
transport input ssh
transport output ssh
The ACL is on the External Interface-Internet
access-list 101 remark ---SSH---
access-list 101 permit tcp any any eq 4232 log
Right now I can access BOTH internal and external-internet........but the port shows "OPEN" when I do a port scan...
Question: If I change the ACL to.....
access-list 101 permit tcp any eq 4232 any log
Will I still have external-internet access without it showing as "OPEN" in a port scan?
Solved! Go to Solution.
11-01-2016 06:24 PM
Hi,
What are you trying to achieve? "access-list 101 permit tcp any any eq 4232 log" means you can access tcp port 4232 from any ip address. "access-list 101 permit tcp any eq 4232 any log" means you can access any tcp port from any ip address sourcing traffic from port 4232. You second access list will work but only if the source port is 4232.First access list is the ideal configuration white the second access list is not really practical because you have to specify or control the source port.
With respect to scanning, you will always get "OPEN" if that port is listening.
Hope this helps
John
11-01-2016 01:11 PM
Not sure if I understand your question correctly. Which port scanner are you using ?
11-01-2016 06:24 PM
Hi,
What are you trying to achieve? "access-list 101 permit tcp any any eq 4232 log" means you can access tcp port 4232 from any ip address. "access-list 101 permit tcp any eq 4232 any log" means you can access any tcp port from any ip address sourcing traffic from port 4232. You second access list will work but only if the source port is 4232.First access list is the ideal configuration white the second access list is not really practical because you have to specify or control the source port.
With respect to scanning, you will always get "OPEN" if that port is listening.
Hope this helps
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide