[c-nsp] vty access-list

Tom Storey tom at snnap.net
Thu Sep 13 10:36:07 EDT 2007


> Hi,
>
> I am trying to filter SSH access on a router from outside by source and
destination ip address. To be more clear, the source SSH access is the
outside /24 network x.x.x.x, and the destination SSH IP is one of the
router's ip's. I want to be able to cut the ssh listening on all the ip's
from the router interfaces, and allow it only on one ip.
>
> The problem is that if the access list looks like:
> access-list 199 permit tcp x.x.x.x 0.0.0.255 y.y.y.y 0.0.0.0 eq 22
> it blocks the ssh access for all ip's including y.y.y.y

Try permitting based on IP address only, e.g.

access-list 199 permit ip x.x.x.x 0.0.0.255 host y.y.y.y

> if the access list applied to the vty lines is:
> access-list 199 permit tcp x.x.x.x 0.0.0.255 any eq 22
> it permits the ssh access to all ip's residing on the router.
>
> Is this a normal behavior of the IOS, to block access to all the ip's,
including to the one that is supposed to be allowed?

Well you are allowing TCP port 22 from x.x.x.x/24 to any destination, which
will be any IP address on the router. But that doesnt neccessarily explain
why the first access list doesnt work.

Personally Ive never used an extended ACL to control VTY access to a router,
I generally use standard ACLs and permit only a specific set of source
subnets access. It works just fine.

Is there any compelling reason why SSH should only be allowed to one
particular IP on the router?

> Thanks,
>
> Catalin
>
>
> ---------------------------------
>  For ideas on reducing your carbon footprint visit Yahoo! For Good this
month.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list