Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5097
Views
0
Helpful
6
Replies

ACL to restirct ssh on Cisco ASR

Go to solution
mahesh18
Level 6
Level 6

‎10-04-2017 06:17 PM - edited ‎03-08-2019 12:16 PM

Hi Everyone,

 

Need to confirm on Cisco ASR which is accessible via management interface

ho ip vrf interfaces
Interface IP-Address VRF Protocol
Gi0 10.x.x.x Mgmt-intf up

 

But seems all other interface with public ip also responds to ssh request from outside world.

To fix this i can config standard ACL  like

ip access-list standard SSH-ACCESS
 permit 10.1.2.x 0.0.0.255

then under 

 

line vty 0 15
 access-class SSH-ACCESS in 

or i need
line vty 0 4
 access-class SSH-ACCESS in vrf-also?

This should block login prompt to outside world right?

Regards
Mahesh




 

 

 

 

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Julio E. Moisa
VIP
VIP

‎10-04-2017 06:22 PM - edited ‎10-04-2017 06:24 PM

Hi

That is correct, it should work as you expect. 

in vrf-also; it is used if you are going to reach it via any IP into a VRF.

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP
In response to mahesh18

‎10-04-2017 06:25 PM - edited ‎10-04-2017 06:27 PM

Hi

That is not required if you are using the global table, but if you are going to reach the device through any IP address into a specific VRF, yes you need to include it. 

Check this link:

https://www.cisco.com/c/en/us/support/docs/ip/telnet/200718-Configure-Telnet-SSH-Access-to-Device-wi.html

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎10-04-2017 06:25 PM

Hi Mahesh,

When you login to the router from the outside (Internet) you are not logging using IP 10.x.x.x

You are most likely using the outside interface on the router with public IP which connects to the provider.

Can you verify?

If yes, you just need an acl in "in" direction on the public interface on the router, so no one can login from outside. Is that what you are trying to do?

Reza

 

View solution in original post

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to mahesh18

‎10-04-2017 06:35 PM

Ok, than what you have should work and no need for ACL for vrf.

What confused me was this statement

This should block login prompt to outside world right?
Good Luck
Reza

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Julio E. Moisa
VIP
VIP

‎10-04-2017 06:22 PM - edited ‎10-04-2017 06:24 PM

Hi

That is correct, it should work as you expect. 

in vrf-also; it is used if you are going to reach it via any IP into a VRF.

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio E. Moisa

‎10-04-2017 06:24 PM

do i need vrf-also in config under vty?

0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP
In response to mahesh18

‎10-04-2017 06:25 PM - edited ‎10-04-2017 06:27 PM

Hi

That is not required if you are using the global table, but if you are going to reach the device through any IP address into a specific VRF, yes you need to include it. 

Check this link:

https://www.cisco.com/c/en/us/support/docs/ip/telnet/200718-Configure-Telnet-SSH-Access-to-Device-wi.html

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎10-04-2017 06:25 PM

Hi Mahesh,

When you login to the router from the outside (Internet) you are not logging using IP 10.x.x.x

You are most likely using the outside interface on the router with public IP which connects to the provider.

Can you verify?

If yes, you just need an acl in "in" direction on the public interface on the router, so no one can login from outside. Is that what you are trying to do?

Reza

 

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Reza Sharifi

‎10-04-2017 06:28 PM

Hi Reza,

I am logging into the Router via management network which has vrf and IP in subnet 10.0.0.x
We do not need anyone login prompt for ssh login if someone from outside want to ssh to router
on its public ip address

Regards
Mahesh
0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to mahesh18

‎10-04-2017 06:35 PM

Ok, than what you have should work and no need for ACL for vrf.

What confused me was this statement

This should block login prompt to outside world right?
Good Luck
Reza

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card