[c-nsp] vty access-list

C and C Dominte domintefamily at yahoo.co.uk
Fri Sep 14 02:54:16 EDT 2007





Try permitting based on IP address only, e.g.

access-list 199 permit ip x.x.x.x 0.0.0.255 host y.y.y.y

still the same result, all the ip's are blocked.



Well you are allowing TCP port 22 from x.x.x.x/24 to any destination, which
will be any IP address on the router. But that doesnt neccessarily explain
why the first access list doesnt work.

Personally Ive never used an extended ACL to control VTY access to a router,
I generally use standard ACLs and permit only a specific set of source
subnets access. It works just fine.

I wanted to use that, but I thought it is easier to cut the access to a destination, rather than cut the access based on source address. This way, I don't have to RDP / SSH to my desktops, to be able to connect to the router.

Is there any compelling reason why SSH should only be allowed to one
particular IP on the router?

I wanted to see if I can force the router to allow SSH traffic only on one IP interface, not on all of them. 

Thanks,
Catalin


       
---------------------------------
 Yahoo! Answers - Get better answers from someone who knows. Tryit now.


More information about the cisco-nsp mailing list