06-18-2018 09:47 PM - edited 03-05-2019 10:37 AM
Hi Guys,
I have an ASR9000 which is configured with BGP to my ISP. Which's command line of ACL that I can prevent people from SSH to my router's outbound interface (from outside world)?
Also, how do I make sure that the SSH access is allowed from mgmt interface (local network) only?
Thanks.
06-18-2018 11:53 PM
Hey,
you can create an ACL that blocks ssh traffic, and the apply it to your outbound interface:
# ip access-list extended BLOCK_SSH
# deny tcp any any eq 22
# permit ip any any
and then apply it to specific interface with:
# interface GigabitEthernet0/1
# ip access-group BLOCK_SSH in
E.
06-19-2018 09:29 AM
The original post actually asks two questions. The first question was about preventing SSH access to the router from outside. I like the solution provided by Eduardo, but acknowledge that it is not quite what the original post asked. The original post actually asked how to prevent SSH to the outbound interface. Eduardo's solution prevents access to any address on the router from outside, which I believe is a better solution. If the original poster really does mean that he wants to prevent SSH to the outside interface then change the ACL to deny tcp any host <outside_IP> eq 22.
The second question asks about restricting SSH access from inside addresses. If you want to restrict access so that only the management subnet can SSH then you could use access-class on the vty lines. It might look something like this (assuming that the management subnet is 172.16.1.0)
access-list 1 permit 172.16.1.0 0.0.0.255
line vty 0 15
access-class 1 in
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide