[c-nsp] vty access-list

[Collins, Richard (SNL US)]

Yes I think that you have to use a standard access-list on the VTY. I
believe to only allow ssh you could just allow ssh as a transport.

router(config)#line vty 0 4
router(config-line)#transport input ?
  acercon  Remote console for ACE-based blade
  all      All protocols
  lat      DEC LAT protocol
  mop      DEC MOP Remote Console Protocol
  nasi     NASI protocol
  none     No protocols
  pad      X.3 PAD
  rlogin   Unix rlogin protocol
  ssh      TCP/IP SSH protocol
  telnet   TCP/IP Telnet protocol
  udptn    UDPTN async via UDP protocol

Rich

>From: "Robert E. Seastrom" <rs at seastrom.com>
>Subject: Re: [c-nsp] vty access-list
>To: C and C Dominte <domintefamily at yahoo.co.uk>
>Cc: cisco-nsp at puck.nether.net
>Message-ID: <86r6l2d45a.fsf at seastrom.com>
>Content-Type: text/plain; charset=us-ascii
>
>
>Try using an access-class on the VTY and a simple acl (number 1-99)
instead.
>
>                                        ---rob
>
>C and C Dominte <domintefamily at yahoo.co.uk> writes:
>
>> Hi,
>>
>> I am trying to filter SSH access on a router from outside by source
and destination ip address. To be more clear, the so
urce SSH access is the outside /24 network x.x.x.x, and the destination
SSH IP is one of the router's ip's. I want to be ab
le to cut the ssh listening on all the ip's from the router interfaces,
and allow it only on one ip.
>>
>> The problem is that if the access list looks like:
>> access-list 199 permit tcp x.x.x.x 0.0.0.255 y.y.y.y 0.0.0.0 eq 22
>> it blocks the ssh access for all ip's including y.y.y.y
>>
>> if the access list applied to the vty lines is:
>> access-list 199 permit tcp x.x.x.x 0.0.0.255 any eq 22
>> it permits the ssh access to all ip's residing on the router.
>>
>> Is this a normal behavior of the IOS, to block access to all the
ip's, including to the one that is supposed to be allow
ed? 
>>
>> Thanks,
>>
>> Catalin