10-04-2017 06:17 PM - edited 03-08-2019 12:16 PM
Hi Everyone,
Need to confirm on Cisco ASR which is accessible via management interface
ho ip vrf interfaces
Interface IP-Address VRF Protocol
Gi0 10.x.x.x Mgmt-intf up
But seems all other interface with public ip also responds to ssh request from outside world.
To fix this i can config standard ACL like
ip access-list standard SSH-ACCESS permit 10.1.2.x 0.0.0.255
then under
line vty 0 15 access-class SSH-ACCESS in
or i need
line vty 0 4 access-class SSH-ACCESS in vrf-also?
This should block login prompt to outside world right?
Regards
Mahesh
Solved! Go to Solution.
10-04-2017 06:22 PM - edited 10-04-2017 06:24 PM
Hi
That is correct, it should work as you expect.
in vrf-also; it is used if you are going to reach it via any IP into a VRF.
:-)
10-04-2017 06:25 PM - edited 10-04-2017 06:27 PM
Hi
That is not required if you are using the global table, but if you are going to reach the device through any IP address into a specific VRF, yes you need to include it.
Check this link:
:-)
10-04-2017 06:25 PM
Hi Mahesh,
When you login to the router from the outside (Internet) you are not logging using IP 10.x.x.x
You are most likely using the outside interface on the router with public IP which connects to the provider.
Can you verify?
If yes, you just need an acl in "in" direction on the public interface on the router, so no one can login from outside. Is that what you are trying to do?
Reza
10-04-2017 06:35 PM
Ok, than what you have should work and no need for ACL for vrf.
What confused me was this statement
This should block login prompt to outside world right?
Good Luck
Reza
10-04-2017 06:22 PM - edited 10-04-2017 06:24 PM
Hi
That is correct, it should work as you expect.
in vrf-also; it is used if you are going to reach it via any IP into a VRF.
:-)
10-04-2017 06:24 PM
do i need vrf-also in config under vty?
10-04-2017 06:25 PM - edited 10-04-2017 06:27 PM
Hi
That is not required if you are using the global table, but if you are going to reach the device through any IP address into a specific VRF, yes you need to include it.
Check this link:
:-)
10-04-2017 06:25 PM
Hi Mahesh,
When you login to the router from the outside (Internet) you are not logging using IP 10.x.x.x
You are most likely using the outside interface on the router with public IP which connects to the provider.
Can you verify?
If yes, you just need an acl in "in" direction on the public interface on the router, so no one can login from outside. Is that what you are trying to do?
Reza
10-04-2017 06:28 PM
10-04-2017 06:35 PM
Ok, than what you have should work and no need for ACL for vrf.
What confused me was this statement
This should block login prompt to outside world right?
Good Luck
Reza
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: