[c-nsp] vty access-list
Robert E. Seastrom
rs at seastrom.com
Thu Sep 13 10:35:45 EDT 2007
Try using an access-class on the VTY and a simple acl (number 1-99) instead.
---rob
C and C Dominte <domintefamily at yahoo.co.uk> writes:
> Hi,
>
> I am trying to filter SSH access on a router from outside by source and destination ip address. To be more clear, the source SSH access is the outside /24 network x.x.x.x, and the destination SSH IP is one of the router's ip's. I want to be able to cut the ssh listening on all the ip's from the router interfaces, and allow it only on one ip.
>
> The problem is that if the access list looks like:
> access-list 199 permit tcp x.x.x.x 0.0.0.255 y.y.y.y 0.0.0.0 eq 22
> it blocks the ssh access for all ip's including y.y.y.y
>
> if the access list applied to the vty lines is:
> access-list 199 permit tcp x.x.x.x 0.0.0.255 any eq 22
> it permits the ssh access to all ip's residing on the router.
>
> Is this a normal behavior of the IOS, to block access to all the ip's, including to the one that is supposed to be allowed?
>
> Thanks,
>
> Catalin
>
>
> ---------------------------------
> For ideas on reducing your carbon footprint visit Yahoo! For Good this month.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list