[c-nsp] vty access-list
C and C Dominte
domintefamily at yahoo.co.uk
Fri Sep 14 03:00:41 EDT 2007
Aaron Daubman <daubman at gmail.com> wrote: Catalin,
...
> Is this a normal behavior of the IOS, to block access to all the ip's, including to the one that is supposed to be allowed?
While not explicitly called out, I believe the intent is to use a
'standard' access list with one's vty access-class statements. To
that end, an extend list that specifies a destination as well as a
source will deny all traffic.
I would hazard a guess that this is due to the fact the one's
destination is no-longer the external interface IP address used to
reach the router at this point, but rather the internal VTY... I
believe the only way to restrict SSH access to a specific IP on the
router is to apply the appropriate extended access list entries to
each router interface, which, given enough processing overhead, is
probably a good idea anyway...
See: http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a0080716ec2.html
for the implied restriction to use only standard access lists...
this is what I would like to avoid, overhead, and at the same time to filter the SSH connections both ways, source and destination.
Catalin
Regards,
~Aaron
---------------------------------
Try Yahoo! Mail now with Unlimited Storage and see the difference.
More information about the cisco-nsp
mailing list