Turn off SSH access on ASR9000

tinhnho123 · ‎06-18-2018

Hi Guys,

I have an ASR9000 which is configured with BGP to my ISP. Which's command line of ACL that I can prevent people from SSH to my router's outbound interface (from outside world)?

Also, how do I make sure that the SSH access is allowed from mgmt interface (local network) only?

Thanks.

Eduardo Battis · ‎06-18-2018

Hey,

you can create an ACL that blocks ssh traffic, and the apply it to your outbound interface:

# ip access-list extended BLOCK_SSH

# deny tcp any any eq 22

# permit ip any any

and then apply it to specific interface with:

# interface GigabitEthernet0/1

# ip access-group BLOCK_SSH in

E.

Richard Burts · ‎06-19-2018

The original post actually asks two questions. The first question was about preventing SSH access to the router from outside. I like the solution provided by Eduardo, but acknowledge that it is not quite what the original post asked. The original post actually asked how to prevent SSH to the outbound interface. Eduardo's solution prevents access to any address on the router from outside, which I believe is a better solution. If the original poster really does mean that he wants to prevent SSH to the outside interface then change the ACL to deny tcp any host <outside_IP> eq 22.

The second question asks about restricting SSH access from inside addresses. If you want to restrict access so that only the management subnet can SSH then you could use access-class on the vty lines. It might look something like this (assuming that the management subnet is 172.16.1.0)

access-list 1 permit 172.16.1.0 0.0.0.255

line vty 0 15

access-class 1 in

HTH

Rick

HTH

Rick