Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1032
Views
3
Helpful
4
Replies

Question about access lists

Go to solution
phusion2k
Level 1
Level 1

‎04-14-2007 01:32 PM - edited ‎03-05-2019 03:28 PM

I just setup my Cisco 851 router for my home network. Things are working. I would now like to setup a few access lists, but need some help. I would like the following.

1. Log all SSH connections.

2. Deny SSH connections from the outside.

3. Permit/allow SSH connections from the inside.

Let me know.

Ryan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Balfour
Level 1
Level 1
In response to Craig Balfour

‎04-15-2007 11:15 PM

Re-reading my post above in the light of a new (week) day I've found lots of mistakes in the first access-list - my apologies.

Please ignore the first access-list - it doesn't work. Here is an access-list that does work - I've tested it.

ip access-list extended VTY-LOCKDOWN

permit tcp 10.0.0.0 0.255.255.255 any eq 22 log

deny tcp any any eq 22 log

permit ip any any

Most of the rest of the post is correct - except that bit about 10.0.0.0/8 being 10.0.0.0 0.0.0.255 which of course is wrong.

10.0.0.0/8 = 10.0.0.0 0.255.255.255.255

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Craig Balfour
Level 1
Level 1

‎04-15-2007 12:09 AM

If you specifically want to control ssh separately from other terminal access protocols like telnet you can create an named extended access list as follows:

ip access-list standard VTY-LOCKDOWN

permit tcp 10.0.0.0 0.0.0.255 host 192.168.100.1 eq 22 log

deny tcp any host 192.168.100.1 eq 22 log

permit ip any any

In the above example VTY-LOCKDOWN is the name of your access-list, 10.0.0.0/8 (or 10.0.0.0 0.0.0.255 in Cisco wildcard mask notation) is your inside subnet address and 192.168.100.1 is the address of your router. 22 is the TCP port number used by SSH and the entries are logged by adding the log keyword to the end of the access-list.

The above access-list will only block ssh from the non-local networks, but will permit other protocols such as telnet.

If you just want to control all terminal access protocols equally (i.e. telnet and ssh) you can create a simpler standard access-list as following:

ip access-list standard VTY-LOCKDOWN

permit 10.0.0.0 0.0.0.255 log

deny any any log

You apply one of the above access-lists to your vty line interface to control access to your router:

line vty 0 15

access-class VTY-LOCKDOWN in

Go to solution
Craig Balfour
Level 1
Level 1
In response to Craig Balfour

‎04-15-2007 11:15 PM

Re-reading my post above in the light of a new (week) day I've found lots of mistakes in the first access-list - my apologies.

Please ignore the first access-list - it doesn't work. Here is an access-list that does work - I've tested it.

ip access-list extended VTY-LOCKDOWN

permit tcp 10.0.0.0 0.255.255.255 any eq 22 log

deny tcp any any eq 22 log

permit ip any any

Most of the rest of the post is correct - except that bit about 10.0.0.0/8 being 10.0.0.0 0.0.0.255 which of course is wrong.

10.0.0.0/8 = 10.0.0.0 0.255.255.255.255

0 Helpful

Go to solution
phusion2k
Level 1
Level 1
In response to Craig Balfour

‎04-18-2007 05:15 PM

It works. Thanks for your help.

0 Helpful

Go to solution
rseiler
Level 3
Level 3
In response to Craig Balfour

‎05-02-2007 07:30 PM

Keep in mind that a VTY access-list doesn't actually protect the router from being exploited or DOSSed. The SSH daemon will actually get the packet and reject it, kind of like a securetty file in Linux. The point being that the router actually processes the packet. Several Cisco HTTP, telnet, and SSH server exploits over the past few years have proved this for many users the hard way.

A better and more secure solution would be to use an ACL to block ssh access to *ANY* public IP interface on the router applied to the outside Internet facing interface.

There are some good best practice guides on Cisco's web site about properly locking down a router on the Internet that will protect the router but still allow packets to flow through it.

The best course of action is to protect the router IPs specifically, block anti-spoofing and unassigned IP blocks (IANA list), use the 'control-plane' interface if possible, and allow access to only the IP range that you own.

Obviously your example of a home Cisco 831/851/871 router complicates this as you most likely have a single public IP available to you and you need to allow return traffic to the router for NAT, etc. which limits your ability to protect the router.

A few older but good documents are at the following URLs:

http://www.cisco.com/web/about/security/intelligence/sp_infrastruct_scty.html

ftp://ftp-eng.cisco.com/cons/isp/essentials/IOS_Essentials_2-9.pdf

ftp://ftp-eng.cisco.com/pfs/seminars/SANOG2-ISP-Essentials.pdf

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card