Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-list for no ssh/telnet access

Hi,

I want to deny telnet and ssh access to a outside router interface but, allow ssh to other inside interfaces. How do I go about doing that with cli?

Thansk, Pat.

7 REPLIES
Gold

Access-list for no ssh/telnet access

hi,

access-list 105 deny tcp any host [10.10.10.1 interface ip] eq 23

access-list 105 permit ip any any

then apply it to the input direction of the interface you expect traffic comming in to be denied.

exmple:

int f0/0

ip access-group 105 in

Hope it Helps,

Soroush.

Hope it Helps!

Soroush.
New Member

Access-list for no ssh/telnet access

Hi Pat,

You can create an extended, named access list with two deny sequences and then ad a permit any any sequence at the end. Once you have done that you can apply it inbound to the router interface you want.

Example:

conf t

ip access-list extended Marsupilami

deny 5 tcp any any eq telnet

deny 10 (blablabla)

permit 15 (blablabla)

exit

Interface (your interface)
ip access-group Marsupilami in
end

You can also have a look at the link below which explains everything in detail.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Regards,

Nate


Hall of Fame Super Silver

Access-list for no ssh/telnet access

Pat

I am not clear what you are trying to achieve. It sort of sounds like if the router had outside interface of FastEth0/0 and inside interface of FastEth0/1 that you want to deny telnet and SSH to the address of FastEth0/0 and permit access to the address of FastEth0/1. If that is the case then a config something like this would do it"

interface fasteth0/0

ip address 100.100.100.1 255.255.255.128

ip access-group 151 in

interface fasteth0/1

ip address 192.168.100.1 255.255.255.0

ip access-group 151 in

access-list 151 deny tcp any host 100.100.100.1 eq 22

access-list 151 deny tcp any host 100.100.100.1 eq 23

access-list 151 permit ip any any

Note that to be effective this access list needs to be applied to each interface.

But I do not see many people with requirements to restrict access based on destination interface and find that most people have requirements that restrict access based on where the access originates. If that is what you want to achieve than a configuration sort of like this should work

access-list 66 permit 192.168.100.0 0.0.0.255

access-list 66 deny any

line vty 0 4

access-class 66 in

note that this uses a standard access list rather than an extended access list and that the access list is applied to the vty using access-class and not to interfaces using ip access-group.

HTH

Rick

New Member

Access-list for no ssh/telnet access

I want to permit ssh acces from the inside interface but, deny ssh acces from the outside interface that faces the Internet.

Thanks, Pat.

Super Bronze

Access-list for no ssh/telnet access

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

You want to block all telnet or SSH entering the router's outside interface, or just to the outside interface, or just to this router?  Also what about telnet or SSH exiting the router's outside interface? You want to block all such traffic, just traffic being source from the outside interface or any traffic sourced from the router?

PS:

BTW, I believe, blocking SSH will also block SCP.

New Member

Access-list for no ssh/telnet access

I want to stop anyone from trying to log into the router from the outside. As it is now someone can ssh into the router from the Internet. As far as I know the router will only be used to send and receive secure web traffic for authenticationg remote users as they set up their 881s via MEVO but, there might be more I am not 100% sure. If secure web is all I need then, maybe I should block everything but secure web. What I definately want to do is stop anyone from attempting an ssh connection through the public address. Kind of inexperianced with security.

Thanks, Pat.

Purple

Access-list for no ssh/telnet access

Hi Patrick,

in this case you can choose Rick solution with the access-class on the vty lines.

Regards.

Alain.

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
12922
Views
25
Helpful
7
Replies
CreatePlease to create content