Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
923
Views
0
Helpful
4
Replies

Howto deny access to router from public networks

Go to solution
MatthiasGTW
Level 1
Level 1

‎09-09-2010 01:04 AM

Hello experts!

I have a Cisco router set up to allow telnet and ssh login via these lines:

line vty 0 4
privilege level 15
login local
transport input telnet ssh

Is there an easy way to deny this access from any public or outside network?

I want to be able to login only from our internal LANs (192.168.0.x and 192.168.1.x).

Thanks in advance for your help!

Kind regards, Matthias

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-09-2010 01:11 AM

Sure, just create ACL to allow the private subnets as follows:

access-list 5 permit 192.168.0.0 0.0.0.255

access-list 5 permit 192.168.1.0 0.0.0.255

line vty 0 4

access-class 5 in

Hope that helps.

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to MatthiasGTW

‎09-09-2010 01:42 AM

Yes sure.

The command is:

ip http access-class 5

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-09-2010 01:11 AM

Sure, just create ACL to allow the private subnets as follows:

access-list 5 permit 192.168.0.0 0.0.0.255

access-list 5 permit 192.168.1.0 0.0.0.255

line vty 0 4

access-class 5 in

Hope that helps.

0 Helpful

Go to solution
MatthiasGTW
Level 1
Level 1
In response to Jennifer Halim

‎09-09-2010 01:26 AM

Hello halijenn,

that worked very well, thanks. Is it also possible to apply this access-list to the internal web-server of the router?

It is set up as:


ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000

But these commands are outside of any "line" or "interface" -- how can I apply an access-list anyway?

Thanks again!

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to MatthiasGTW

‎09-09-2010 01:42 AM

Yes sure.

The command is:

ip http access-class 5

0 Helpful

Go to solution
MatthiasGTW
Level 1
Level 1
In response to Jennifer Halim

‎09-09-2010 02:20 AM

great, thanks a lot!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents