I have a Cisco3845 and I am trying to block access from the outside interface (Internet facing) and only grant access from the inside (private address). I am doing this with the SDM but I get a message saying:
"SDM has detected some unsupported ACEs in the VTY lines".
I am not sure what that message really means and not sure what to do in SDM to fix it. But it is easy to fix from the command line instead of SDM. To restrict who can telnet or SSH to the router you would create a standard access list and in that access list you would permit the inside addresses that you want to be able to telnet or SSH to the router. Perhaps it might look like this:
access-list 50 permit 10.10.10.0 0.0.0.255
and then you put this command under the vty lines:
access-class 50 in
The access class is used to restrict the IP addresses that can do remote access to the router.
The access-class 23 in came from SDM. It is part of the default config supplied with SDM (which also puts the privilege level 15 on the VTYs and the username cisco).
If you want you could delete access-list 23 and recreate it as the access list to use with access-class. Or you could remove access-list 23 and create some other standard access list to identify the private addresses which you want to be able to access the router (the access-list 50 suggested in my previous post).
Do you really need all these VTYs? Well that depends a bit on what you are doing with the router. But probably you do not need all of these. The original standard for VTY was to have 5 (line vty 0 4). Now some of the platforms (or maybe it is the version of IOS) creates 16 VTYs (vty 0 15). You are able to delete vty 5 through 15. I do not believe that you can delete vty 0 4.
One other thing to mention. The configuration of vty 0 3 has the privilege level 15 command which will automatically put the person who logs in at privilege mode. (the default config also does that for vty 4 but that appears to have been removed in your config). In general I do not like to have people go automatically to privilege mode. I prefer that they log in at user level and if they need privilege leve then they should authenticate to privilege level. If you like to have them go directly to privilege level then leave it in the config. But if you want them to have to authenticate to the privilege level then remove the command: privilege level 15 from the vty lines.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...