[c-nsp] Best way to secure vty access
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Mon Apr 18 16:56:33 EDT 2005
Jon Allen Boone <> wrote on Monday, April 18, 2005 10:29 PM:
> I want to give someone access to an IOS device, but I want to put
> limits on what other devices they can telnet out to. What's the best
> way to do this?
>
> I thought of applying an ACL on the "outbound" interface that
> permitted telnet initiation only to certain IP addresses, but that
> would limit everyone on the device.
>
> Is there a user-specific means to lock down what remote hosts they
> can access? The IOS version is 12.3(11)T.
if you use tacacs for login authentication and exec authorization, send
an ACL number via
service = exec {
acl=<number>
}
(exact syntax depends on your T+ server).
Then permit all hosts the user is able to connect to via this ACL, i.e.
access-list 10 permit 1.2.3.4
access-list 10 permit 5.6.7.0 0.0.0.255
If you don't use tacacs, "access-class <num> out" and/or "username xxxx
access-class" should do the same for local authen/author (never tried
this, though)..
oli
More information about the cisco-nsp
mailing list