Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1696
Views
0
Helpful
4
Replies

Access restriction to router

ronshuster
Level 1
Level 1

‎02-13-2008 08:04 AM

I have a Cisco3845 and I am trying to block access from the outside interface (Internet facing) and only grant access from the inside (private address). I am doing this with the SDM but I get a message saying:

"SDM has detected some unsupported ACEs in the VTY lines".

What does that mean?

How can I resolve this issue?

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎02-13-2008 09:04 AM

Roni

I am not sure what that message really means and not sure what to do in SDM to fix it. But it is easy to fix from the command line instead of SDM. To restrict who can telnet or SSH to the router you would create a standard access list and in that access list you would permit the inside addresses that you want to be able to telnet or SSH to the router. Perhaps it might look like this:

access-list 50 permit 10.10.10.0 0.0.0.255

and then you put this command under the vty lines:

access-class 50 in

The access class is used to restrict the IP addresses that can do remote access to the router.

HTH

Rick

HTH

Rick
0 Helpful

ronshuster
Level 1
Level 1
In response to Richard Burts

‎02-14-2008 10:21 AM

Thank you Rick!!!

0 Helpful

ronshuster
Level 1
Level 1
In response to Richard Burts

‎02-14-2008 10:50 AM

Rick, here's my vty lines:

line con 0

login local

stopbits 1

line aux 0

stopbits 1

line vty 0 3

access-class 23 in

privilege level 15

password *******

login

transport input telnet

line vty 4

privilege level 15

password *******

login

transport input telnet

line vty 5 15

privilege level 15

login local

transport input telnet

1) note sure where this came from : access-class 23 in

2) do i really need all these vty lines?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ronshuster

‎02-14-2008 11:14 AM

Roni

The access-class 23 in came from SDM. It is part of the default config supplied with SDM (which also puts the privilege level 15 on the VTYs and the username cisco).

If you want you could delete access-list 23 and recreate it as the access list to use with access-class. Or you could remove access-list 23 and create some other standard access list to identify the private addresses which you want to be able to access the router (the access-list 50 suggested in my previous post).

Do you really need all these VTYs? Well that depends a bit on what you are doing with the router. But probably you do not need all of these. The original standard for VTY was to have 5 (line vty 0 4). Now some of the platforms (or maybe it is the version of IOS) creates 16 VTYs (vty 0 15). You are able to delete vty 5 through 15. I do not believe that you can delete vty 0 4.

One other thing to mention. The configuration of vty 0 3 has the privilege level 15 command which will automatically put the person who logs in at privilege mode. (the default config also does that for vty 4 but that appears to have been removed in your config). In general I do not like to have people go automatically to privilege mode. I prefer that they log in at user level and if they need privilege leve then they should authenticate to privilege level. If you like to have them go directly to privilege level then leave it in the config. But if you want them to have to authenticate to the privilege level then remove the command: privilege level 15 from the vty lines.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents