SSH configuration on VTY Line

Unanswered Question
Jul 21st, 2011

Hello,

Just a quick question if you don't mind.

We've got our switches and routers configured for using SSH only to be accessed on the vty lines.

Here is an example:

ip access-list extended SSH_ACCESS

permit tcp 10.x.x.x 0.0.127.255 any eq 22

line vty 0 2

access-class SSH_ACCESS in

line vty 3 4

transport input none

line vty 5 15

transport input none

Based on this configuration I can see that on vty 0, 1, and 2 only devices using the 10.x.x.x with subnet range 0.0.125.255 can access using SSH, my question is about vty 3, 4, and then 5-15?

I can also see that the transport input command doesn't specify SSH, shouldn't it not say SSH if we only like SSH to access the switches/routers using these VTY lines? And also, should the access-class SSH_ACCESS in not be applied to the rest of the vty lines other than 0 2?

Many thanks,

H

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
manju.cisco Thu, 07/21/2011 - 02:06

Hi,

Your vty lines 3 to 15 are not unusable since you have "transport input none" configured there, so no protocols will be allowed as incoming.

To re-use those vty lines you should give "transport input ssh" so that you can still have ssh access to the device on vty lines 3 to 15.

your access-list here is helping only to allow ssh connections from 10.x network, if you want ssh connections only from 10.x network then apply the access list on all vty lines. If any source can ssh then applying access-list is not required on vty lines.

Hope this helps.

Thanks

nikalleyne Thu, 07/21/2011 - 05:42

Try this instead

!

line vty 0 2

access-class SSH_ACCESS in

---- Allow only incoming SSH and NO Telnet

transport input ssh

---- Since you have a preference for ssh you can also use

transport preferred ssh

---- If yo would also like to use the switch as a pivot point to get to other switches you can also use

transport output ssh telnet

line vty 3 4

access-class SSH_ACCESS in

---- Allow only incoming SSH and NO Telnet

transport input ssh

---- Since you have a preference for ssh you can also use

transport preferred ssh

---- If yo would also like to use the switch as a pivot point from these lines to get to other switches you can also use

transport output ssh telnet

line vty 5 15

transport input none

---- If yo would NOT like to use your switch as a pivot point from these lines

  transport output none

naiduccnp Thu, 07/21/2011 - 06:08

Hi haidar,

What previous posts said is right, you need allow the input ssh on the line vty to allow the ssh access. And then you can restrict the ssh access by defining the rules (SSH_ACCESS) you can permit only required subnets or hosts like blelow.


line vty 0 2
access-class SSH_ACCESS in
transport input ssh


Please rate the helpfull posts.
Regards,
Naidu.

Actions

Login or Register to take actions

This Discussion

Posted July 21, 2011 at 1:48 AM
Stats:
Replies:3 Avg. Rating:
Views:2519 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 14,997
2 8,150
3 7,720
4 7,078
5 6,710
Rank Username Points
200
80
59
57
57