Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

access-list restrict ssh traffic through router

cisco 2651xm router

newbie:

I'm having difficulty trying to create an access-list that will restrict ssh traffic 'through' the router. I have port 22 forwarded from the wic-adsl card to the ip of a server on the lan. I'd like to lock this down so that only specified ip's can get through to the server on port 22 and all other source ip's are blocked. is this possible? I've searched on google but can only find examples that deny ip's or globally deny or permit port traffic.

1 ACCEPTED SOLUTION

Accepted Solutions

access-list restrict ssh traffic through router

Can you post your configuration? You need to enable ACLs on interfaces depending on the traffic flow. So you have an ADSL uplink and then a LAN interface? And you have forwarded port 22 to the LAN? Is the SSH coming over the WAN? You can apply ACL either inbound on WAN port or outbound on LAN port. Something like:

ip access-list extended DENY_SSH

permit tcp ALLOWED_HOSTS LAN_NETWORK eq 22

deny tcp any any eq 22

permit ip any any

int WAN

ip access-group DENY_SSH in

You can get more granular with the ACL of course. If you give me the networks I could help you create the full ACL.

Daniel Dib
CCIE #37149

Daniel Dib CCIE #37149 Please rate helpful posts.
5 REPLIES

access-list restrict ssh traffic through router

Can you post your configuration? You need to enable ACLs on interfaces depending on the traffic flow. So you have an ADSL uplink and then a LAN interface? And you have forwarded port 22 to the LAN? Is the SSH coming over the WAN? You can apply ACL either inbound on WAN port or outbound on LAN port. Something like:

ip access-list extended DENY_SSH

permit tcp ALLOWED_HOSTS LAN_NETWORK eq 22

deny tcp any any eq 22

permit ip any any

int WAN

ip access-group DENY_SSH in

You can get more granular with the ACL of course. If you give me the networks I could help you create the full ACL.

Daniel Dib
CCIE #37149

Daniel Dib CCIE #37149 Please rate helpful posts.
New Member

access-list restrict ssh traffic through router

thanks for your response. The ssh is coming in from the wan, which is via the wic-1 adsl card through the NAT and then to a lan port to the server. I tried the config you gave but it shut off all access to the internet - but maybe I did something wrong. Also, for the line:

permit tcp ALLOWED_HOSTS LAN_NETWORK eq 22

the router told me this was incomplete.

The config I used was:

ip access-list extended DENY_SSH

permit tcp 0.0.0.0 eq 22 any

deny tcp any any eq 22

permit ip any any

int dialer0

ip access-group DENY_SSH in

Thanks for any further advice.

Purple

access-list restrict ssh traffic through router

Hi,

replace permit tcp 0.0.0.0 eq 22 any by permit tcp  0.0.0.0 any eq 22

You configured source port to 22 but it is destination port so as there was no match it hit line 20 so no ssh anymore but I wonder how it blocked Internet access as other reply traffic should have hit your last ACE with a permit any.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

access-list restrict ssh traffic through router

appendum:

I managed to work it out (I had been doing it wrong). This is the config that worked:

ip access-list extended DENY_SSH
  permit tcp host any eq 22
  deny   tcp any any eq 22
  permit ip any any

(exit)

int dialer0

ip access-group DENY_SSH in

thanks for your help on this.

Purple

access-list restrict ssh traffic through router

Hi,

I see you found out on yourself    Happy you solved it.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
3850
Views
0
Helpful
5
Replies
CreatePlease to create content