×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

access-list restrict ssh traffic through router

Answered Question
Oct 28th, 2013
User Badges:

cisco 2651xm router

newbie:

I'm having difficulty trying to create an access-list that will restrict ssh traffic 'through' the router. I have port 22 forwarded from the wic-adsl card to the ip of a server on the lan. I'd like to lock this down so that only specified ip's can get through to the server on port 22 and all other source ip's are blocked. is this possible? I've searched on google but can only find examples that deny ip's or globally deny or permit port traffic.

Correct Answer by daniel.dib about 3 years 9 months ago

Can you post your configuration? You need to enable ACLs on interfaces depending on the traffic flow. So you have an ADSL uplink and then a LAN interface? And you have forwarded port 22 to the LAN? Is the SSH coming over the WAN? You can apply ACL either inbound on WAN port or outbound on LAN port. Something like:


ip access-list extended DENY_SSH

permit tcp ALLOWED_HOSTS LAN_NETWORK eq 22

deny tcp any any eq 22

permit ip any any

int WAN

ip access-group DENY_SSH in


You can get more granular with the ACL of course. If you give me the networks I could help you create the full ACL.



Daniel Dib
CCIE #37149

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
daniel.dib Mon, 10/28/2013 - 04:47
User Badges:
  • Silver, 250 points or more

Can you post your configuration? You need to enable ACLs on interfaces depending on the traffic flow. So you have an ADSL uplink and then a LAN interface? And you have forwarded port 22 to the LAN? Is the SSH coming over the WAN? You can apply ACL either inbound on WAN port or outbound on LAN port. Something like:


ip access-list extended DENY_SSH

permit tcp ALLOWED_HOSTS LAN_NETWORK eq 22

deny tcp any any eq 22

permit ip any any

int WAN

ip access-group DENY_SSH in


You can get more granular with the ACL of course. If you give me the networks I could help you create the full ACL.



Daniel Dib
CCIE #37149

tonyspcrepairs Tue, 10/29/2013 - 09:15
User Badges:

thanks for your response. The ssh is coming in from the wan, which is via the wic-1 adsl card through the NAT and then to a lan port to the server. I tried the config you gave but it shut off all access to the internet - but maybe I did something wrong. Also, for the line:

permit tcp ALLOWED_HOSTS LAN_NETWORK eq 22

the router told me this was incomplete.

The config I used was:


ip access-list extended DENY_SSH

permit tcp 0.0.0.0 eq 22 any

deny tcp any any eq 22

permit ip any any

int dialer0

ip access-group DENY_SSH in


Thanks for any further advice.

cadet alain Wed, 10/30/2013 - 03:57
User Badges:
  • Purple, 4500 points or more

Hi,

replace permit tcp 0.0.0.0 eq 22 any by permit tcp  0.0.0.0 any eq 22

You configured source port to 22 but it is destination port so as there was no match it hit line 20 so no ssh anymore but I wonder how it blocked Internet access as other reply traffic should have hit your last ACE with a permit any.


Regards


Alain



Don't forget to rate helpful posts.

tonyspcrepairs Wed, 10/30/2013 - 03:47
User Badges:

appendum:

I managed to work it out (I had been doing it wrong). This is the config that worked:


ip access-list extended DENY_SSH
  permit tcp host any eq 22
  deny   tcp any any eq 22
  permit ip any any

(exit)

int dialer0

ip access-group DENY_SSH in


thanks for your help on this.

cadet alain Wed, 10/30/2013 - 03:58
User Badges:
  • Purple, 4500 points or more

Hi,


I see you found out on yourself    Happy you solved it.


Regards


Alain



Don't forget to rate helpful posts.

Actions

This Discussion