02-13-2008 08:04 AM
I have a Cisco3845 and I am trying to block access from the outside interface (Internet facing) and only grant access from the inside (private address). I am doing this with the SDM but I get a message saying:
"SDM has detected some unsupported ACEs in the VTY lines".
What does that mean?
How can I resolve this issue?
02-13-2008 09:04 AM
Roni
I am not sure what that message really means and not sure what to do in SDM to fix it. But it is easy to fix from the command line instead of SDM. To restrict who can telnet or SSH to the router you would create a standard access list and in that access list you would permit the inside addresses that you want to be able to telnet or SSH to the router. Perhaps it might look like this:
access-list 50 permit 10.10.10.0 0.0.0.255
and then you put this command under the vty lines:
access-class 50 in
The access class is used to restrict the IP addresses that can do remote access to the router.
HTH
Rick
02-14-2008 10:21 AM
Thank you Rick!!!
02-14-2008 10:50 AM
Rick, here's my vty lines:
line con 0
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 3
access-class 23 in
privilege level 15
password *******
login
transport input telnet
line vty 4
privilege level 15
password *******
login
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
1) note sure where this came from : access-class 23 in
2) do i really need all these vty lines?
02-14-2008 11:14 AM
Roni
The access-class 23 in came from SDM. It is part of the default config supplied with SDM (which also puts the privilege level 15 on the VTYs and the username cisco).
If you want you could delete access-list 23 and recreate it as the access list to use with access-class. Or you could remove access-list 23 and create some other standard access list to identify the private addresses which you want to be able to access the router (the access-list 50 suggested in my previous post).
Do you really need all these VTYs? Well that depends a bit on what you are doing with the router. But probably you do not need all of these. The original standard for VTY was to have 5 (line vty 0 4). Now some of the platforms (or maybe it is the version of IOS) creates 16 VTYs (vty 0 15). You are able to delete vty 5 through 15. I do not believe that you can delete vty 0 4.
One other thing to mention. The configuration of vty 0 3 has the privilege level 15 command which will automatically put the person who logs in at privilege mode. (the default config also does that for vty 4 but that appears to have been removed in your config). In general I do not like to have people go automatically to privilege mode. I prefer that they log in at user level and if they need privilege leve then they should authenticate to privilege level. If you like to have them go directly to privilege level then leave it in the config. But if you want them to have to authenticate to the privilege level then remove the command: privilege level 15 from the vty lines.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: