Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Access restriction to router

I have a Cisco3845 and I am trying to block access from the outside interface (Internet facing) and only grant access from the inside (private address). I am doing this with the SDM but I get a message saying:

"SDM has detected some unsupported ACEs in the VTY lines".

What does that mean?

How can I resolve this issue?

4 REPLIES
Hall of Fame Super Gold

Re: Access restriction to router

Roni

I am not sure what that message really means and not sure what to do in SDM to fix it. But it is easy to fix from the command line instead of SDM. To restrict who can telnet or SSH to the router you would create a standard access list and in that access list you would permit the inside addresses that you want to be able to telnet or SSH to the router. Perhaps it might look like this:

access-list 50 permit 10.10.10.0 0.0.0.255

and then you put this command under the vty lines:

access-class 50 in

The access class is used to restrict the IP addresses that can do remote access to the router.

HTH

Rick

New Member

Re: Access restriction to router

Thank you Rick!!!

New Member

Re: Access restriction to router

Rick, here's my vty lines:

line con 0

login local

stopbits 1

line aux 0

stopbits 1

line vty 0 3

access-class 23 in

privilege level 15

password *******

login

transport input telnet

line vty 4

privilege level 15

password *******

login

transport input telnet

line vty 5 15

privilege level 15

login local

transport input telnet

1) note sure where this came from : access-class 23 in

2) do i really need all these vty lines?

Hall of Fame Super Gold

Re: Access restriction to router

Roni

The access-class 23 in came from SDM. It is part of the default config supplied with SDM (which also puts the privilege level 15 on the VTYs and the username cisco).

If you want you could delete access-list 23 and recreate it as the access list to use with access-class. Or you could remove access-list 23 and create some other standard access list to identify the private addresses which you want to be able to access the router (the access-list 50 suggested in my previous post).

Do you really need all these VTYs? Well that depends a bit on what you are doing with the router. But probably you do not need all of these. The original standard for VTY was to have 5 (line vty 0 4). Now some of the platforms (or maybe it is the version of IOS) creates 16 VTYs (vty 0 15). You are able to delete vty 5 through 15. I do not believe that you can delete vty 0 4.

One other thing to mention. The configuration of vty 0 3 has the privilege level 15 command which will automatically put the person who logs in at privilege mode. (the default config also does that for vty 4 but that appears to have been removed in your config). In general I do not like to have people go automatically to privilege mode. I prefer that they log in at user level and if they need privilege leve then they should authenticate to privilege level. If you like to have them go directly to privilege level then leave it in the config. But if you want them to have to authenticate to the privilege level then remove the command: privilege level 15 from the vty lines.

HTH

Rick

547
Views
0
Helpful
4
Replies
CreatePlease to create content