[c-nsp] vty access-list

Fred Reimer freimer at ctiusa.com
Fri Sep 14 08:19:23 EDT 2007


"Is there any compelling reason why SSH should only be allowed to
one
particular IP on the router?"

Yes, if you have VRF's setup and only want to allow inbound
traffic to particular interfaces in a particular VRF (or
default/global)...


Fred Reimer, CISSP
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of C and C
Dominte
Sent: Friday, September 14, 2007 2:54 AM
To: Tom Storey; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] vty access-list





Try permitting based on IP address only, e.g.

access-list 199 permit ip x.x.x.x 0.0.0.255 host y.y.y.y

still the same result, all the ip's are blocked.



Well you are allowing TCP port 22 from x.x.x.x/24 to any
destination, which
will be any IP address on the router. But that doesnt
neccessarily explain
why the first access list doesnt work.

Personally Ive never used an extended ACL to control VTY access
to a router,
I generally use standard ACLs and permit only a specific set of
source
subnets access. It works just fine.

I wanted to use that, but I thought it is easier to cut the
access to a destination, rather than cut the access based on
source address. This way, I don't have to RDP / SSH to my
desktops, to be able to connect to the router.

Is there any compelling reason why SSH should only be allowed to
one
particular IP on the router?

I wanted to see if I can force the router to allow SSH traffic
only on one IP interface, not on all of them. 

Thanks,
Catalin


       
---------------------------------
 Yahoo! Answers - Get better answers from someone who knows.
Tryit now.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5188 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20070914/0bd631a7/attachment-0001.bin 


More information about the cisco-nsp mailing list