Solved

Cisco host permit and deny a range of addresses

Posted on 2009-05-06
6
867 Views
Last Modified: 2012-05-06
I am using a cisco router.  I want to restrict the use of ssh to only an internal 172.16.x.x set of addresses and block any other address from using using port 22.

I am using the following and including the subnet mask to indicate that I want to use the entire class b range.  

First, do I need to include the subnet mask?
Second, if so, what is the proper format?

access-list 123 permit tcp any host 172.16.0.0 255.255.0.0 eq 22
access-list 123 deny   tcp any any eq 22
access-list 123 permit ip any any
0
Comment
Question by:c3ne
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
6 Comments
 
LVL 3

Expert Comment

by:keno44
ID: 24319517
You use a filter, not the subnet mask. use 0.0.255.255 for this example.
0
 
LVL 3

Expert Comment

by:keno44
ID: 24319545
Sorry, to be more clear. It's not generally referred to as a 'filter', this is a 'wildcard masking'.

so it should read

access-list 123 permit tcp any host 172.16.0.0 0.0.255.255 eq 22
0
 

Author Comment

by:c3ne
ID: 24319580
I get an invalid input response using either the mask or the filter with the market at the beginning of the filter.

router(config)#$ 123 permit tcp any host 172.16.0.0 0.0.255.255 eq 22
access-list 123 permit tcp any host 172.16.0.0 0.0.255.255 eq 22
                                                                           ^
% Invalid input detected at '^' marker.
0
 
LVL 3

Accepted Solution

by:
keno44 earned 125 total points
ID: 24319602
Take the word host out of the statement. Sorry, I didnt catch that earlier!!
0
 
LVL 8

Assisted Solution

by:akalbfell
akalbfell earned 125 total points
ID: 24321392
use the tab it will help you as you type in commands as far as what you need next.
there is an easier way to limit access to the device so its only through SSH and not Telnet..

enter these commands, this will take care of the access list also..

conf t
ip access-list extended SSH_ACCESS
  permit ip 172.16.0.0 0.0.255.255 any
<type exit to get out of NACL mode>
line vty 0 4
transport input ssh
access-class SSH_ACCESS in

soon as you put the access list command in and the SSH thats it so make sure you are sure its right...a good little trick is before you do anything with the access lists type reload in 5, if it asks you to confirm the reload hit yes and then the timer starts...that will give you 5 minutes after which if you dont cancel it the router will reboot. so say you lock yourself out with an access list just wait 5 minutes and it will reboot and load the last saved config....just make sure if you do everything right to do a reload cancel to cancel it...you can change the 5 to any number of minutes you want


0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Resource timeout across a VPN 9 70
Multicast IGMP Join Group 8 53
Cisco 3650 switch 1G port to 10G port 6 40
What is weight in VIP (Vserver) in Netscalar? 2 28
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question