?
Solved

Access list on VTY lines Cisco

Posted on 2010-01-07
5
Medium Priority
?
1,281 Views
Last Modified: 2012-06-27
OK can any one answer this for me.

I have a 4506 that I want to restrict the managment interface to only one IP address range.

the Switch is running as a Router for the network so have several VLAN interfaces with IP address which are acting as the Defaulte gate way for there respective subnets.

lets assuem i have the networks

192.168.10.0 /24  nad 192.168.20.0/24   in each case the 4506 is assigned the .254 address which the PC's are suing as there default gate way.

Now I only want pcs in either network to be able to connect to the 192.168.20.254 ip address from managment. it dosent mater what subnet they are in they must all use the above ip address.


I thought this would be simple

#ip access list extended managemnt
#permint ip any host 192.168.20.254 log
#deny any any log
#line vty 1 - 15      (line 0 is used for non mangemnt purposes and does not accept ssh )
# access class managment in

I assumed that this would mean only packes sent to the 192.168.20.254 address would be accepted in to the VTY line, every thing else would be dropped.

however this rule blocks all log on attempts from network 192.168.10.0. and looking at the logs i can see the access lsit blocks the traffic becasue it sees the destination as 0.0.0.0?

I can see why this might happen, but I want to knwo if there is a way around it.

rember i am not trying to restric who can manage the switch, just what IP address they must use. and it seems simpler to only allow one ip address and default deny the rest.

Any ideas?

0
Comment
Question by:Aaron Street
  • 3
5 Comments
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26201631
Can you post those logs?
0
 
LVL 16

Author Comment

by:Aaron Street
ID: 26201682
these are the switch logs.

it seems that when it recves the packets it routes them  to self and the access lsit runs against that self address (0.0.0.0)

Rathetr than the origianl destination address to which they where sent?

if you use a PC on the 192.168.20.0 network it runs ok
Jan  7 15:41:11.012: %SEC-6-IPACCESSLOGP: list Restrict_Managment denied tcp 192.168.10.100(1744) -> 0.0.0.0(22), 1 packet
Jan  7 15:41:54.451: %SEC-6-IPACCESSLOGP: list Restrict_Managment denied tcp 192.168.10.100(1757) -> 0.0.0.0(22), 1 packet

Ip access list extended Restricted_Managment
permint ip any host 192.168.20.254 log

Open in new window

0
 

Expert Comment

by:Flanger
ID: 26307278
Why not create a simple access list instead of extended and attach it on vty interfaces?
People usually restrict access to vty/con/aux with simple access list where you for example just permit one ip address and the rest are blocked by deny on the bottom of the access list.
0
 
LVL 16

Author Comment

by:Aaron Street
ID: 26319530
Hi Flanger

i know how its usual done,

But I don't want to restrict from where you can access the mangagment interface, but what one you are trying to get to

by default all uses are blocked from getting on to the 192.168.20.0 network, the routers access lists block it.

but admins can log on to any remote network and open up a hole to the 192.168.20.0 network, (I know this is not a standard  method to do security)

however if I could bock all access to the vty lines unless it was destination to the 192.168.20.x interface then I could make management much simpler. rather than haviing to manualy go to each routed interface and applying access lists there. one simple accces list on each device would give me the security i want.

 
0
 
LVL 16

Accepted Solution

by:
Aaron Street earned 0 total points
ID: 26365689
For any one interested you can do this by using the command

#control-plane host
#management-interface f0/1 allow SSH

this limits what interface can recive different types of managment traffic.

I need to check it in a live system but reading through this seems to do the trick
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question