10-01-2009 08:14 AM - last edited on 03-25-2019 04:08 PM by ciscomoderator
I have Cisco 6500 in the Hybrid mode and I do session 15/16 to get to MSFC (I believe this uses telnet)
I can also connect to MSFC using telnet/ssh to its loopback address.
I want to be able to continue to use session 15/16 but i want to block direct telnet access to MSFC and use only SSH.
I have tried the following ACL but then I couldn't directly telnet/ssh to the box.
access-list 112 permit tcp 10.1.21.0 0.0.0.255 eq 22 any (SSH ONLY sourcing from 10.1.21.0/24)
line vty 0 4
transport input telnet, ssh
access-list 112 in
line 5 15
transport input telnet, ssh
access-list 112 in
Do you know what I could be doing wrong?
Solved! Go to Solution.
10-01-2009 08:22 AM
Hello Nawaz,
well known port TCP 22 should be on the destination part of the ACL:
try
access-list 113 permit tcp 10.1.21.0 0.0.0.255 any eq 22
and these are the MSFC's VTY lines?
Hope to help
Giuseppe
10-01-2009 08:22 AM
Hello Nawaz,
well known port TCP 22 should be on the destination part of the ACL:
try
access-list 113 permit tcp 10.1.21.0 0.0.0.255 any eq 22
and these are the MSFC's VTY lines?
Hope to help
Giuseppe
10-01-2009 08:45 AM
Yes these are the MSFC's vty line. I think this ACL will work, let me try.
10-01-2009 08:48 AM
Hi Giuseppe
Your ACL seem to have work but if I make a modification like adding a host instead of any it failed. (Since MSFC has tons of vlan interfaces and, I want to be able to ssh to only loopback0)
access-list 112 permit tcp 10.1.21.0 0.0.0.255 host 10.4.1.52 eq 22
10-01-2009 12:14 PM
Hello Nawaz,
I'm afraid this is a limitation on using extended ACLs for access-class.
I remember a thread where Rick Burts explained this.
I usually configure a standard ACL for access-class.
I don't know if MSFC supports it: receive ACL but it is really difficult to configure you need to explicitly permit all possible flows to the MSFC including routing protocol messages.
I think you should be satisfied by having limited to SSH external access to MSFC allowing telnet access from supervisor.
Hope to help
Giuseppe
10-01-2009 12:33 PM
I agree, I have come up with the ACL and which serves the purpose for me. This ACL will allow the telnet via sess 15 and 15 but restrict telnet from anywhere else and allow ssh only.
Thank you for all your help.
access-list 112 permit tcp any any eq 22
line vty 0 4
transport input ssh
access-class 112 in
line vty 5 15
transport input ssh
access-class 112 in
10-01-2009 08:26 AM
If you get rid of the "eq 22" in the statement and just use tranport input ssh only it should work . It will block any telnet sessions because it is not one of the transport protocols allowed. Make sure SSH is configured correctly on the box before doing this.
10-01-2009 08:45 AM
If I use transport input ssh only then session 15/16 doesn't work.
10-01-2009 11:00 AM
Kind of defeats the point of using SSH if you still have telnet running on the catos side.
10-01-2009 11:10 AM
NO, I'm not running telnet on CAT OS but when do session 15 or session 16 from Cat OS then it only used (internal telnet) to connect to MSFC, this is by default in the Hybrid mode and you cannot change it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: