Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL Question

Hello,

I have a router with an interface pointed outside. My goal is to put an ACL in place that blocks all SSH traffic except SSH coming from inside the network. Here is what I came up with. I would then apply this to the VTY lines coming IN. Would this be appropriate for what I'm trying to do or is there a better way?

 

Thanks for any feedback.

 

It would be an extended ACL 

permit tcp 10.43.0.0 0.0.255.255 host 69.X.X.X eq 22

deny ip any host 69.X.X.X eq 22

permit ip any any

2 REPLIES
New Member

 Apply an 'access-group',

 

Apply an 'access-group', allowing only your LAN, on the vty line ...

-Brj

New Member

A standard access-list would

A standard access-list would suffice for VTY access-class. There's no need to go overboard with extended ACLs matching protocols.

 

ip access-list standard vty-in

 permit 10.43.0.0 0.0.255.255

deny any log

!

line vty 0 4 (or last line, that may differ)

 transport input ssh

 access-class vty-in in vrf-also <-- vrf-also is optional, but suggested to have OOB managment

 

42
Views
0
Helpful
2
Replies
CreatePlease login to create content