You could limit terminal access to a router with an access-class in line configuration command for a very long time (since, at least, IOS release 10.0). However, the access-class command only accepted standard access-lists, allowing you to restrict access solely based on source IP addresses. In the meantime, this feature quietly got upgraded to support extended access lists. In the IOS release 12.4, the command even accepts (undocumented !) named access lists.
These new features give you the ability to implement interesting policies, for example:
- Telnet access is only allowed from the network management station.
- SSH access is allowed from anywhere within internal network
You can also use the extended access list logging functionality, making it possible to log every connection attempt to the router.
For example, the configuration ...
ip access-list extended TerminalAccess... would log any terminal access to the router with messages similar to the one below.
permit tcp host 10.0.0.2 any eq telnet log
permit tcp any any eq 22 log
deny tcp any any log
!
line vty 0 4
access-class TerminalAccess in
%SEC-6-IPACCESSLOGP: list TerminalAccess denied tcp 10.0.0.3(1057) -> 0.0.0.0(23), 1 packet
%SEC-6-IPACCESSLOGP: list TerminalAccess permitted tcp 10.0.0.2(1058) -> 0.0.0.0(23), 1 packet
Posts
very good tip, simple but useful.
ReplyDeleteThanks
Standard acls also provide logging, don't they?
ReplyDeleteYou're right, now they do. Long time since I've last checked :)
ReplyDeleteAny one tried using a specific destination ip address rather than "any"
ReplyDeletei.e.
permit tcp host 10.0.0.2 host 1.2.3.4 eq telnet log
It doesn't work, see the last comment in this post.
ReplyDeleteThis was actually added in at-least 12.2 (tested), still wish you could specify a destination
ReplyDelete