07-21-2011 01:48 AM - edited 03-07-2019 01:19 AM
Hello,
Just a quick question if you don't mind.
We've got our switches and routers configured for using SSH only to be accessed on the vty lines.
Here is an example:
ip access-list extended SSH_ACCESS
permit tcp 10.x.x.x 0.0.127.255 any eq 22
line vty 0 2
access-class SSH_ACCESS in
line vty 3 4
transport input none
line vty 5 15
transport input none
Based on this configuration I can see that on vty 0, 1, and 2 only devices using the 10.x.x.x with subnet range 0.0.125.255 can access using SSH, my question is about vty 3, 4, and then 5-15?
I can also see that the transport input command doesn't specify SSH, shouldn't it not say SSH if we only like SSH to access the switches/routers using these VTY lines? And also, should the access-class SSH_ACCESS in not be applied to the rest of the vty lines other than 0 2?
Many thanks,
H
07-21-2011 02:06 AM
Hi,
Your vty lines 3 to 15 are not unusable since you have "transport input none" configured there, so no protocols will be allowed as incoming.
To re-use those vty lines you should give "transport input ssh" so that you can still have ssh access to the device on vty lines 3 to 15.
your access-list here is helping only to allow ssh connections from 10.x network, if you want ssh connections only from 10.x network then apply the access list on all vty lines. If any source can ssh then applying access-list is not required on vty lines.
Hope this helps.
Thanks
07-21-2011 05:42 AM
Try this instead
!
line vty 0 2
access-class SSH_ACCESS in
---- Allow only incoming SSH and NO Telnet
transport input ssh
---- Since you have a preference for ssh you can also use
transport preferred ssh
---- If yo would also like to use the switch as a pivot point to get to other switches you can also use
transport output ssh telnet
line vty 3 4
access-class SSH_ACCESS in
---- Allow only incoming SSH and NO Telnet
transport input ssh
---- Since you have a preference for ssh you can also use
transport preferred ssh
---- If yo would also like to use the switch as a pivot point from these lines to get to other switches you can also use
transport output ssh telnet
line vty 5 15
transport input none
---- If yo would NOT like to use your switch as a pivot point from these lines
transport output none
07-21-2011 06:08 AM
Hi haidar,
What previous posts said is right, you need allow the input ssh on the line vty to allow the ssh access. And then you can restrict the ssh access by defining the rules (SSH_ACCESS) you can permit only required subnets or hosts like blelow.
line vty 0 2
access-class SSH_ACCESS in
transport input ssh
Please rate the helpfull posts.
Regards,
Naidu.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: