Access Control List for SSH

vishaul · May 18, 2020, 3:05am

Hi,
I want to restrict SSH access to only certain IP addresses (Loopback & Management VLAN), on a router in this case

Can you say if the configs below will work.

int gig0/1
ip address 192.168.100.22 255.255.255.252
no shut
exit

int gig0/2
ip address 192.168.100.25 255.255.255.252
no shut
exit
!
!
int lo1
description REMOTE ACCESS TO R6
ip address 6.6.6.6 255.255.255.255
exit
!
ip access-list extended SSH_ACCESS
!
permit tcp any host 6.6.6.6 eq 22
deny tcp any any eq 22
deny tcp any any eq 23
permit ip any any
exit
!
!
int gi0/2
ip access-group SSH_ACCESS in
!
!
int gi0/2
ip access-group SSH_ACCESS in

lagapidis · May 19, 2020, 2:18pm

Hello Dinesh

You are creating an access list that will block all connectivity to TCP ports 22 and 23 (SSH and Telnet), and will only permit the use of TCP port 22 (SSH) if the destination is the loopback 6.6.6.6. You have applied this on Gi0/2.

The result is that anyone connecting to any IP address of the device with Telnet or SSH will be blocked, except for SSH via 6.6.6.6.

But this is only applied on port Gi0/2. What happens if someone tries to connect via a different interface?

Consider using an access list and applying it to the VTY line used to connect to the device. You can see this in the Standard Access List Example on Cisco Router lesson.

To this you can add Management Plane Protection (MPP) which will restrict the interfaces from which users can connect to network management protocols.

I suggest you take a look at those two lessons for more details.

I hope this has been helpful!

Laz

vishaul · May 21, 2020, 2:51am

Hi Laz,
You are right I should have applied the ACL to the VTY lines since its SSH related.

I applied the ACL below, it seems to be configured correctly, but when I try to SSH in, I am having the error Connection refused by remote host

ip access-list extended SSH_ACCESS
!
permit tcp any host 6.6.6.6 eq 22
deny tcp any any eq 22
deny tcp any any eq 23
permit ip any any
exit
!
!
line vty 0 15
transport input ssh
login local
access-class SSH_ACCESS in

lagapidis · May 22, 2020, 8:04am

Hello Dinesh

It may depend on your IOS. the access-class command only supported numbered standard access lists, but from IOS release 12.4 and on, it supports both extended and named access lists. If you’re using an IOS before 12.4, this may be the reason for the failure.

Secondly, let’s take a look at your access list. You are:

Permitting access from any host to 6.6.6.6 using SSH
Denying access from anywhere to anywhere for Telnet and SSH
Allowing access from anywhere to anywhere.

You must remember however, that this access list is applied on the VTY alone, so it will only filter communication that is attempted to be made via ports 22 and 23. You can’t connect to the VTY with other TCP ports. Also, I’m not sure how this is going to behave, keeping in mind that the access list is actually applied on the VTY and not on a physical interface. A better approach would be to:

Determine from which IP addresses you will accept connectivity to the VTY and use those as source addresses in the ACL.
Don’t use the ACL to specify which IP address should be used for management. It is better to use Management Plane Protection (MPP) to specify the port via which such communication is allowed to take place.

I hope this has been helpful!

Laz