[c-nsp] vty access-list

Jeff Fitzwater jfitz at Princeton.EDU
Thu Sep 13 11:28:43 EDT 2007


On your original list enter, do the following to see what you missed...

access-list 199 permit tcp x.x.x.x 0.0.0.255 y.y.y.y 0.0.0.0 eq 22
access-list 199 permit ip x.x.x.x 0.0.0.255 y.y.y.y 0.0.0.0 log

Now try to log in again and it should let you, but now you will have a 
log of what was missed.

I also agree that only using a standard ACL with specif host permits is 
simpler.


Jeff Fitzwater
OIT Network Systems
Princeton University




Tom Storey wrote:
>> Hi,
>>
>> I am trying to filter SSH access on a router from outside by source and
>>     
> destination ip address. To be more clear, the source SSH access is the
> outside /24 network x.x.x.x, and the destination SSH IP is one of the
> router's ip's. I want to be able to cut the ssh listening on all the ip's
> from the router interfaces, and allow it only on one ip.
>   
>> The problem is that if the access list looks like:
>> access-list 199 permit tcp x.x.x.x 0.0.0.255 y.y.y.y 0.0.0.0 eq 22
>> it blocks the ssh access for all ip's including y.y.y.y
>>     
>
> Try permitting based on IP address only, e.g.
>
> access-list 199 permit ip x.x.x.x 0.0.0.255 host y.y.y.y
>
>   
>> if the access list applied to the vty lines is:
>> access-list 199 permit tcp x.x.x.x 0.0.0.255 any eq 22
>> it permits the ssh access to all ip's residing on the router.
>>
>> Is this a normal behavior of the IOS, to block access to all the ip's,
>>     
> including to the one that is supposed to be allowed?
>
> Well you are allowing TCP port 22 from x.x.x.x/24 to any destination, which
> will be any IP address on the router. But that doesnt neccessarily explain
> why the first access list doesnt work.
>
> Personally Ive never used an extended ACL to control VTY access to a router,
> I generally use standard ACLs and permit only a specific set of source
> subnets access. It works just fine.
>
> Is there any compelling reason why SSH should only be allowed to one
> particular IP on the router?
>
>   
>> Thanks,
>>
>> Catalin
>>
>>
>> ---------------------------------
>>  For ideas on reducing your carbon footprint visit Yahoo! For Good this
>>     
> month.
>   
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>     
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


More information about the cisco-nsp mailing list