[nsp] VTY ACL

Barry Raveendran Greene bgreene at cisco.com
Sun Jul 20 23:27:57 EDT 2003 

The old trick that we've been teaching for years as been to use the eACL
with the log keyword to monitor the scans on your equipment. 

access-list 199 permit tcp 1.2.3.0 0.0.0.255 any
access-list 199 permit tcp 1.2.4.0 0.0.0.255 any
access-list 199 deny   tcp any any range 0 65535 log
access-list 199 deny   ip any any log

The two denies give more details on what type of scans are happening. The
closure is to have the logs exported and a script that pulls this specific
ACL number (i.e. assuming you use the same ACL number for all your VTY
ACLs), and charts the daily rates. We've had some customers had off major
attacks by seeing their scan rate (i.e. miscreants mapping their network)
increase weeks before a compelling event that would attract and attack.

Some of this is outline in the ISP Essentials Book and in the ISP Security
Bootcamp:

	ftp://ftp-eng.cisco.com/cons/isp/security/
 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Chris Griffin
> Sent: Sunday, July 20, 2003 7:24 PM
> To: Rick Burts; d.holloway at hill.com
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [nsp] VTY ACL
> 
> The main reason we use extended ACLs is at the end:
> 
> access-list 101 deny ip any any log
> 
> -Chris
> ----- Original Message -----
> From: "Rick Burts" <r.burts at earthlink.net>
> To: <d.holloway at hill.com>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Sunday, July 20, 2003 10:19 PM
> Subject: Re: [nsp] VTY ACL
> 
> 
> > Damien
> >
> > I think you will find it much easier to accomplish what you want with a
> > standard access list.
> >
> > As someone else pointed out, be very careful with in and out when you
> > apply access-class.
> >
> > I went through the exercise of access-class with extended access lists
> > a long time ago, got it to work, and do not know if the behavior of IOS
> > has changed (so may or may not still be the case, but I guess it still
> > works). What I found was the key in getting extended access lists
> > to work was specifying the source address as 0.0.0.0. I was really
> > puzzled at that till I thought about it a while. The access-class out
> > is working when the vty session wants to go somewhere outside, at the
> > vty it knows where it wants to go but does not yet know which interface
> > it will use to get there, so it cannot know what the source address
> > will be.
> >
> > I think you can get extended access lists to work with access-class,
> > but why would you want to use a more complex solution when a simple
> > solution is available?
> >
> > Rick
> >
> > Damien Holloway wrote:
> > >
> > > I applied an ACL to the vty interface on a router
> > >
> > > access-list 101 permit tcp host 10.1.1.1 host 10.2.2.2 eq telnet
> > >
> > > line vty 0 4
> > >  access-class 101 in
> > >
> > > and the host 10.1.1.1  **cannot** telnet to the router on 10.2.2.2
> > >
> > > BUT if I do this
> > >
> > > access-list 101 permit tcp host 10.1.1.1 any eq telnet
> > >
> > > line vty 0 4
> > >  access-class 101 in
> > >
> > > and the host 10.1.1.1  **can** telnet to the router on 10.2.2.2
> > >
> > > Why would the first example NOT work???
> > >
> > > I am confused
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > --
> > Rick Burts     CCIE 4615  CCSI     Email: rburts at netcraftsmen.net
> > Chesapeake NetCraftsmen            410.573.9372  (office)
> > 1070 Foxcroft Run                  443.994.0675  (cell)
> > Annapolis, MD 21401                WWW: http://www.netcraftsmen.net
> >
> > With 8 CCIEs on staff Chesapeake NetCraftsmen offers services in
> > network consulting and training.  Our services include Network Design,
> > Implementation, Troubleshooting as well as Network Management.
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list