Access list isses on VTY lines

Unanswered Question
Jan 8th, 2010

Hi I was hopeing some one could explain how to do this.

I am trying to restrict my core switchs (4506's) to only accept incomming SSH and Telent (managment) traffic that is directed to a single ip interface.

I thought I could do this by placing a access list on the VTY lines that says

#access list 101 permit tcp any host 192.168.1.254 eq 22 log

#access list 101 permit tcp and host 192.168.1.254 eq 23 log

#access list 101 deny ip any any log

and simple assign that list inbound to the VTY interface.

however this then blocks all access to the VTY line? the log is as shown

Jan  8 11:41:54.247: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.5.25(4258) -> 0.0.0.0(22), 1 packet

So i can see what is happening becasue the 4506 is the default gate way for the 192.168.5.0 network, it is seeing the packet as directed to self and no to the 192.168.1.254 address.

My question is, is there any way around this. I was hoping to be able to restrict managment access to the 192.168.66.254 address,

I dont want to stop other sub nets being able to manage this swith, but they would all ahve to mange it through a single IP address. this switch may end up with many subnet interfaces and I would rather be able to say allow this interface and deny all others by default, than have to manualy deny all other interfaces one by one.

Any ideas how I can get this to work ?

Cheers

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Mon, 01/11/2010 - 02:23

Hi,

To restrict the access of the switch  via vty just do the below configuration in switches so that only permitted ip' can access the switch via telnet

ip access-list standard admin
permit 10.9.4.4
permit 10.198.1.1


Cisco_1811#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Cisco_1811(config)#line vty 0 15
Cisco_1(config-line)#access-class admin in

Hope that helps out your query !!

Regards

Ganesh.H

VLA_WeyBridge_2 Mon, 01/11/2010 - 03:42

See this still allows Access via any interface IP address the switch/router is configured with.

I want to restricit managment ment to a single interface on the routers/switch.

At the moment uses are assigned an access list as they log on to the network.

which says something like

deny ip any 192.168.1.0 0.0.0.255

deny tcp any 192.168.2.0 0.0.0.255 RDP

permit any any.

So they are denied acess to different parts of the network depending what group they are in.

The idea being that no matter what PC they log on to in what ever subnet they will always be denided access based on the user.

the problem with your solution is that then the managemnt uinterface can only be access from one PC or subnet, as it is based on the source address

I want to limit it based on the distination address,

IE, not who it is comming from, but to what IP address it is directed to.

Then if I say that a user can / can't reach the 192.168.1.0 (managment subnet) then I can centraly managem access to the switch managent.

Ganesh Hariharan Mon, 01/11/2010 - 03:49

Clear your question in breif manner you want create management restriction or want to block different network from one lan to other.

Regards

Ganesh.H

VLA_WeyBridge_2 Mon, 01/11/2010 - 03:54

I want to do exactly what you have said

assing an access list on to the VTY line,

but i want to filter based on the destination address (not the source address.)

Ganesh Hariharan Tue, 01/12/2010 - 03:23

Hi,

Ok !!

To restrict incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list, use the access-class command in line configuration mode. To remove access restrictions, use the no form of this command.
access-class access-list-number {in [vrf-also] | out}
no access-class access-list-number {in | out}

Syntax Description

access-list-number
Number of an IP access list. This is a decimal number from 1 to 199 or from 1300 to 2699.
in

Restricts incoming connections between a particular Cisco device and the addresses in the access list.
vrf-also

Accepts incoming connections from interfaces that belong to a VRF.
out
Restricts outgoing connections between a particular Cisco device and the addresses in the access list.

Usage Guidelines

Remember to set identical restrictions on all the virtual terminal lines because a user can connect to any of them.
To display the access lists for a particular terminal line, use the show line EXEC command and specify the line number.
If you do not specify the vrf-also keyword, incoming Telnet connections from interfaces that are part of a VRF are rejected.

Examples

The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the virtual terminal ports on the router:
access-list 12 permit 192.89.55.0  0.0.0.255
line 1 5
access-class 12 in

The following example defines an access list that denies connections to networks other than network 36.0.0.0 on terminal lines 1 through 5:
access-list 10 permit 36.0.0.0 0.255.255.255
line 1 5
access-class 10 out

Hope that helps out your query !!

Regards

Ganesh.H

justnetsolutions Sun, 05/29/2016 - 13:00

I know this question was asked quite awhile ago but I'm sure people are still trying to find an answer to this question.  

I'm currently studying for my CCNA exam and in one of the labs it asks to apply an ACL to the VTY lines that would allow access to only one of the local IP Addresses configured on a router(say loopback 0). this cannot be done (at least in any of the GNS 3 devices I have setup). To only allow Telnet/SSH access to one of the configured addresses, you must apply the ACL to an interface, not the VTY lines.

I hope this helps anyone else out there that is currently looking for a solution to this problem.

Actions

This Discussion

Related Content