[c-nsp] vty access-list
Collins, Richard (SNL US)
richard.1.collins.ext at nsn.com
Thu Sep 13 11:55:07 EDT 2007
Yes I think that you have to use a standard access-list on the VTY. I
believe to only allow ssh you could just allow ssh as a transport.
router(config)#line vty 0 4
router(config-line)#transport input ?
acercon Remote console for ACE-based blade
all All protocols
lat DEC LAT protocol
mop DEC MOP Remote Console Protocol
nasi NASI protocol
none No protocols
pad X.3 PAD
rlogin Unix rlogin protocol
ssh TCP/IP SSH protocol
telnet TCP/IP Telnet protocol
udptn UDPTN async via UDP protocol
Rich
>From: "Robert E. Seastrom" <rs at seastrom.com>
>Subject: Re: [c-nsp] vty access-list
>To: C and C Dominte <domintefamily at yahoo.co.uk>
>Cc: cisco-nsp at puck.nether.net
>Message-ID: <86r6l2d45a.fsf at seastrom.com>
>Content-Type: text/plain; charset=us-ascii
>
>
>Try using an access-class on the VTY and a simple acl (number 1-99)
instead.
>
> ---rob
>
>C and C Dominte <domintefamily at yahoo.co.uk> writes:
>
>> Hi,
>>
>> I am trying to filter SSH access on a router from outside by source
and destination ip address. To be more clear, the so
urce SSH access is the outside /24 network x.x.x.x, and the destination
SSH IP is one of the router's ip's. I want to be ab
le to cut the ssh listening on all the ip's from the router interfaces,
and allow it only on one ip.
>>
>> The problem is that if the access list looks like:
>> access-list 199 permit tcp x.x.x.x 0.0.0.255 y.y.y.y 0.0.0.0 eq 22
>> it blocks the ssh access for all ip's including y.y.y.y
>>
>> if the access list applied to the vty lines is:
>> access-list 199 permit tcp x.x.x.x 0.0.0.255 any eq 22
>> it permits the ssh access to all ip's residing on the router.
>>
>> Is this a normal behavior of the IOS, to block access to all the
ip's, including to the one that is supposed to be allow
ed?
>>
>> Thanks,
>>
>> Catalin
More information about the cisco-nsp
mailing list