Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
782
Views
0
Helpful
4
Replies

Blocking all incoming connection but allow specific only

abangbarubelajar
Level 1
Level 1

‎08-18-2020 05:46 PM

Hi team,

 

i'm a newbie in this area. please go easy on me :) . i have some question on how can i achieve my goal to block all connection to specific ip and at the same time allow from specific ip. The scenario that i have is, i'm having a switch configured with IP address on an interface vlan and this ip is used as the management ip for us to manage it remotely. i have configured access control using access list in my configuration as per below.

 

access-list 102 permit ip host 192.168.1.100 any
access-list 102 deny tcp any host 192.168.200.1

line vty 0 4
access-class 102 in
login local


line vty 5 15
access-class 102 in
login local

 

Take note that ip 192.168.200.1 is the ip address that i assigned to the interface vlan of the switch. i'm not sure which access list i should used. do i need to use standard or extended access list to achieved this? i believe there is also an implicit rule by default for each access list which is denying all connection. am i correct? or do i still need to manually create an implicit rule to block all connection coming to that line vty? and also where will be the best place for us to apply the access list? is it in the interface vlan level or in line vty?

 

another reason for me to have this done is because when i'm trying to scan for open ports on the ip 192.168.200.1 i can see there are few ports opened. below is some sample of the scan.

 

Host is up (0.011s latency).
Not shown: 983 closed ports
PORT     STATE    SERVICE
25/tcp   filtered smtp
80/tcp   open     http
110/tcp  open     pop3
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
143/tcp  open     imap
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
993/tcp  open     imaps
995/tcp  open     pop3s
1026/tcp filtered LSA-or-nterm
1027/tcp filtered IIS
3128/tcp open     squid-http
4444/tcp filtered krb524
6129/tcp filtered unknown
6667/tcp filtered irc
8080/tcp open     http-proxy

a simple telnet test proof that the port is open.

telnet 192.168.200.1 80
Trying 192.168.200.1...
Connected to 192.168.200.1.
Escape character is '^]'.

please help.

 

 

Labels:
0 Helpful
4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

‎08-18-2020 07:22 PM

Hi

What do you want to achieve?
Allow ssh from 1 host only to the switch or block any ports from anyone (not only ssh access) except from 1 host.
I believe this is the second option of I understand your post.
For that, it won't be on lines configuration but on the interface itself or on the control plane.
I will recommend you take a look to the ios hardening guide that will explain how to block traffic not useful for your network:
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

Let me know if that helps.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

abangbarubelajar
Level 1
Level 1
In response to Francesco Molino

‎08-18-2020 07:52 PM

Hi Francesco,

 

thanks for your reply. yes. my main objective is to only allow 1 ip to access ssh to the switch. then block any connection to any tcp/udp ports to switch ip address.

i will take a look the link. hope you don't mind if i ask more after this.

thanks.

 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to abangbarubelajar

‎08-18-2020 08:31 PM

With vty you will only block ssh, so hardening with control-plane policing will definitely be the best solution.
Give it a look/try and sure you can come and ask more questions.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

paul driver
VIP
VIP
In response to abangbarubelajar

‎08-18-2020 10:12 PM - edited ‎08-18-2020 10:13 PM

Hello

then it sounds like a simple acl on the vty line would be applicable 

example

access-list 10 permit host x.x.x.x

line vty 0 4

transport input ssh

transport preferred none

transport output none

ip access-group 10 in


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card