12-13-2005 11:53 PM - edited 03-03-2019 11:13 AM
Hi,
I have a 1841 router with ios 12.4(3a). This router is at remote end and I want to access it with SSH(22/tcp). I have enable the ACL for it and loged it.
The log shows permited from my H.O global ip to B.O(1841) gloabl ip(22/tcp). But I get error saying "Network Error:Connection refused".
I am using PuTTY application for SSH.
Log details from router:
%SEC-6IPACCESSLOGP:list 101 permitted tcp A.B.C.53(1925)-> X.Y.Z.45(22), 1 packet
http secure server is enabled and RSA key is set in the router.
Can some body help on it please.
12-14-2005 12:35 AM
hi
Have u configured transport input ssh under the line vty mode ??
thats reqd to allow SSH connections but by default its just telnet which is permitted on the line vty.
regds
12-14-2005 01:14 AM
Thank you very much for the reply.
Yes, it is configured.
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address x.y.z.45 255.255.255.0
ip access-group 101 in
!
access-list 101 permit tcp any host x.y.z.45 eq 22 log
:
:
access-list 102 permit ip 172.29.96.0 0.0.0.31 any
access-list 102 deny ip any any
!
line vty 0 4
access-class 102 in
authorization exec local_author
login authentication local_authen
transport preferred all
transport input telnet ssh
transport output all
!
12-14-2005 05:03 AM
Hi,
The remote access with SSH is ok now after changing the ACL of 102. But the log for ACL 102 is showing as access from H.O(A.B.C.53) to IP address 0.0.0.0(22).
Why is it so? Is this a security flaw?
!
access-list 102 permit tcp any any eq 22 log
access-list 102 permit ip 172.29.96.0 0.0.0.31 any
access-list 102 deny ip any any
!
line vty 0 4
access-class 102 in
authorization exec local_author
login authentication local_authen
transport preferred all
transport input telnet ssh
transport output all
!
%SEC-6IPACCESSLOGP:list 101 permitted tcp A.B.C.53(1625)-> X.Y.Z.45(22), 1 packet
%SEC-6IPACCESSLOGP:list 102 permitted tcp A.B.C.53(1758)-> 0.0.0.0(22), 1 packet
12-14-2005 12:39 PM
It is really not a security flaw. It is the fact that you used a different kind of access list. The normal usage of access list for access-class on vty is to use a standard access list. A standard access list identifies a single address (or address range) that is permitted to have remote access. An extended access list makes the logic much more complex when it identifies two address ranges, which we usually interpret as source address and destination address.
One of the advantages of access-class is that the logic that applies it realizes that any address on the router might be the destination address. If you attempted to control remote access via access-group applied to interfaces, you would have to put in a line for every interface on the router with an IP address. The logic in access-class consolidates them and says that any access attempt to any interface on the router, and so it represents the destination as 0.0.0.0. It is a feature not a flaw.
HTH
Rick
12-14-2005 04:56 PM
Thank you very much for the explanation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide