Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
580
Views
5
Helpful
6
Replies

ACL for SSH

Go to solution
hbell
Level 1
Level 1

‎03-21-2024 07:57 AM

I have cut at this multiple times and have not been able to work it, so any help would be greatly appreciated.

I have a 3650 with one interface connected to our ISP's router and another interface connected to our UTM and the internal network.  I want to be able to make SSH connection to the switch, but only from a single host on the internal network, blocking all other connections, whether external or internal.  I have created this acl and applied it to vty 0 4 and vty 5 15:

ip access-list extended manage-SSH
permit tcp 192.168.x.x 0.0.255.255 any eq 22
deny tcp any any eq 22
deny tcp any any eq www
deny tcp any any eq telnet

However, it does not seem to be working. I still get authentication attempts from external probers

*Mar 21 09:24:33.906: %SEC_LOGIN-1-QUIET_MODE_ON: Still time left for watching failures is 0 secs, [user: ] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] [ACL: manage-SSH] at 09:24:33 UTC Thu Mar 21 2024

Can anyone see what I am doing wrong?

 

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎03-21-2024 08:03 AM

can you apply ACL to ISP interface deny tcp traffic to 22 and allow other traffic ?

MHM

View solution in original post

6 Replies 6

Go to solution
MHM Cisco World
VIP
VIP

‎03-21-2024 08:03 AM

can you apply ACL to ISP interface deny tcp traffic to 22 and allow other traffic ?

MHM

Go to solution
hbell
Level 1
Level 1
In response to MHM Cisco World

‎03-25-2024 06:23 AM

Thanks! This proves to be the most efficient and effective way of accomplishing what a need to accomplish.

0 Helpful

Go to solution
liviu.gheorghe
Spotlight
Spotlight

‎03-21-2024 08:04 AM

Hello @hbell ,

The access-list is wrong. It should be as follows if only from one IP is permitted:

ip access-list extended manage-SSH
permit tcp 192.168.x.x 0.0.0.0 any eq 22
deny tcp any any eq 22
deny tcp any any eq www
deny tcp any any eq telnet

line vty 0 4

 access-class manage-SSH in

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***

Go to solution
M02@rt37
VIP
VIP

‎03-21-2024 08:42 AM - edited ‎03-21-2024 08:44 AM

Hello @hbell 

Since you need to permit one host, use the 'host' command on your permit rule:

ip access-list extended manage-SSH
permit tcp host 192.168.x.x any eq 22
deny tcp any any eq 22
deny tcp any any eq www
deny tcp any any eq telnet

Apply this named extended ACL on VTY in inbound.

Please re test.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
Georg Pauwen
VIP
VIP

‎03-21-2024 09:39 AM

Hello,

since all access lists have an implicit 'deny all' at the end, all you really need is this:

ip access-list extended SSH_ACCESS
permit tcp host <internal_host_IP> any eq 22

line vty 0 15
access-class SSH_ACCESS in
transport input ssh

Go to solution
pieterh
VIP
VIP
In response to Georg Pauwen

‎03-22-2024 05:57 AM

>>> *Mar 21 09:24:33.906: %SEC_LOGIN-1-QUIET_MODE_ON: Still time left for watching failures is 0 secs, [user: ] [Source: x.x.x.x] [localport: 22] [Reason: Login Authentication Failed] [ACL: manage-SSH] at 09:24:33 UTC Thu Mar 21 2024 <<<

the ACL manage-SSH on the VTY lines does not prevent probes being made, but it makes sure they cannot be completed
if you do not want this logged, you may add an explicit deny statement in the ACL with "nolog" keyword

alternatively you can define an ACL applied to the ISP lines (not the VTY) that blocks SSH traffic to the outside-IP of the device

0 Helpful
Customers Also Viewed These Support Documents