08-18-2020 05:46 PM
Hi team,
i'm a newbie in this area. please go easy on me :) . i have some question on how can i achieve my goal to block all connection to specific ip and at the same time allow from specific ip. The scenario that i have is, i'm having a switch configured with IP address on an interface vlan and this ip is used as the management ip for us to manage it remotely. i have configured access control using access list in my configuration as per below.
access-list 102 permit ip host 192.168.1.100 any access-list 102 deny tcp any host 192.168.200.1 line vty 0 4 access-class 102 in login local line vty 5 15 access-class 102 in login local
Take note that ip 192.168.200.1 is the ip address that i assigned to the interface vlan of the switch. i'm not sure which access list i should used. do i need to use standard or extended access list to achieved this? i believe there is also an implicit rule by default for each access list which is denying all connection. am i correct? or do i still need to manually create an implicit rule to block all connection coming to that line vty? and also where will be the best place for us to apply the access list? is it in the interface vlan level or in line vty?
another reason for me to have this done is because when i'm trying to scan for open ports on the ip 192.168.200.1 i can see there are few ports opened. below is some sample of the scan.
Host is up (0.011s latency). Not shown: 983 closed ports PORT STATE SERVICE 25/tcp filtered smtp 80/tcp open http 110/tcp open pop3 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 143/tcp open imap 445/tcp filtered microsoft-ds 593/tcp filtered http-rpc-epmap 993/tcp open imaps 995/tcp open pop3s 1026/tcp filtered LSA-or-nterm 1027/tcp filtered IIS 3128/tcp open squid-http 4444/tcp filtered krb524 6129/tcp filtered unknown 6667/tcp filtered irc 8080/tcp open http-proxy
a simple telnet test proof that the port is open.
telnet 192.168.200.1 80 Trying 192.168.200.1... Connected to 192.168.200.1. Escape character is '^]'.
please help.
08-18-2020 07:22 PM
08-18-2020 07:52 PM
Hi Francesco,
thanks for your reply. yes. my main objective is to only allow 1 ip to access ssh to the switch. then block any connection to any tcp/udp ports to switch ip address.
i will take a look the link. hope you don't mind if i ask more after this.
thanks.
08-18-2020 08:31 PM
08-18-2020 10:12 PM - edited 08-18-2020 10:13 PM
Hello
then it sounds like a simple acl on the vty line would be applicable
example
access-list 10 permit host x.x.x.x
line vty 0 4
transport input ssh
transport preferred none
transport output none
ip access-group 10 in
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide