Configuring an ACL on VTY Lines (Telnet/SSH)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello everybody i'm rafael and welcome to network engineer pro in today's video i'm going to show you how to configure an access control list on a vty line as you know telnet is not secure ssh is the way when it comes to securely connecting to devices like routers and switches if you aren't familiar with ssh or how to configure it then check the description for a link to a tutorial video that i did for that protocol now the problem is is that with the minimum config required to get ssh configured anyone who has ip reachability to that router or switch is going to be able to establish a connection with a compromised account or credentials a malicious attacker could potentially get in in some production networks it's common to have a security policy to only allow ssh to routers and switches from specific subnets like a noc subnet for example they obviously need access for remote management and troubleshooting purposes no other subnet within the organization should be allowed to access those devices using ssh so in this lab i'm going to teach you how to configure an access control list on your vty lines this is going to allow you to control what networks are allowed to ssh to your devices let's get right into it all right so here's the topology for this lab there's two endpoints and one router the pc on the left is in the noc subnet which is 10.140.1.0.24 and the pc has ip.1 and the routers gig 0 0 is going to be 254 and it's the gateway for that subnet if you look on the right hand side we have the hr subnet the hr subnet is 10.140 2.0 24. the hr pc has dot one and the gig zero one interface on router r1 has dot 254 and it's the gateway for the subnet on the right if you look in the upper right hand corner we're gonna see our objective our objective states that only the noc subnet which is 10.140.1.0 should be allowed to ssh to the router but we have some restrictions do not apply any acl to gig 0 0 or gig 0 1. get used to seeing restrictions right for certain things as you progress to the ccmp and even the ccie level especially the cci level learn that there's multiple ways to do the same thing so yes technically you can create an acl that denies ssh and apply it inbound on gig 0 0 and gig 0 one that would for sure meet the objective but you would technically fail because you broke a restriction i want you to be a swiss army knife and know that there's usually more than one way to accomplish something so for this lab what's set up now is just basic ip addressing and ssh but let's never assume let's verify ip reachability and ssh ourselves so on knock pc1 which is on the left i'm just going to ping across i'm going to see if i can reach hr pc1 so ping 10.140.2.1 okay perfect let me test ssh so ssh dash l the username is going to be admin what ip address am i going to ssh to let me try an ssh to the ip that's my default gateway so 10. 140.1.254 great i was prompted with a password so the password is cisco and i'm on router 1. let me exit let me make sure i can ssh to the other ip that 10142.254. okay i was prompted with a password and i'm in let me exit let me verify from hr pc one so i'm gonna do ssh dash l admin and the ip that i want to ssh to is 10 140.2.254. prompt with a password and i'm in let me test the other ip and i'm in perfect so there's full ip reachability and ssh works all around so let's get started we want to only allow the knox subnet to ssh to the router so let's go ahead and hop on the router i'm going to go once i get in here i'm going to go to config t and we're going to create an extended acl so i'm going to say ip access list extended and i'm just going to name it something simple ssh access now let me go ahead and work on these access control entries so what are we doing we are only allowing the knock subnet ssh access that knox subnet is 10.140.1.0.24. so i'm going to say permit tcp 10.140.1.0 and it's a slash 24. so what's my wild card mass gonna be my wild card mask for slash 24 is 0.0.0.255. any destination is going to be any and equal to port 22 which is ssh now with access list standard or extended whatever there's an implicit deny at the end so what i want to do is i want to add a deny entry that logs all of the failures so i'm going to say deny tcp any any and i'm just going to add the word log at the end so whenever hr pc one tries to ssh and fails i want the router to log it so now that the acl has been created let's go ahead and apply it and this is where i want to show you where you can apply it so we're going to go to line vty 0 through 15. now these virtual terminal lines these are used for you know incoming telnet and ssh sessions and this is where we're going to apply the acl to we're not going to apply to the physical interface like gig zero zero or gig zero one we are applying it directly on these virtual terminal lines so now that i'm inside the line configuration what i'm gonna do is i'm going to apply this acl i'm going to say access class and then the name of the acl right you can use the number or the access list name and the name that we gave it was ssh dash access and then if you hit question mark it's going to want you to choose a direction is it going to be inbound or outbound since we want to only allow ssh connections inbound to the router we're going to apply inbound in and hit enter so now that we've done that let's go ahead and test let's make sure that we can still ssh to the router from knock pc1 so i'm going to ssh by the way these are actual uh routers acting as endpoints so i just want you to know that so ssh dash l admin right admins username and this is the ip address that i want to ssh to perfect i was given a prompt and i'm in the router router one let me exit and let me verify that the other ip address on router 1 that 10 140 2.254 let me make sure i can ssh to that okay and i can i was given a password prompt and i'm in let me try from hr pc this is the pc this is the subnet that we don't want to allow ssh access to so ssh i'll just hit up arrow and uh sure let's try 10 140 1.254 look at that you can see connection refuse by remote host let me try the other ip address let me try 10.140.2.254. and that's my default gateway so i can't ssh to him because it was refused let me make sure i can still ping okay so ping's working but ssh is not so our acl worked perfect we have met our objectives only the noc subnet should be allowed to ssh to the router and we did not apply any acls to gig zero slash zero or gig zero slash one now some verifications that we can do on the router look remember that log uh entry that we did this last one here deny tcp any any log we're getting logs we're getting that ssh access denied tcp from 10 140 2.1 that's hrpc1 and we tried it twice and the logs showed up that's perfect that's exactly what we want to see so if i do show access list it's telling me that for the permit entry the permit tcp right this is for that knock subnet we have four matches and for the deny tcp any any we have two matches so everything is logging perfect and let's say that you're trying to troubleshoot something and this match numbers are super high like hundreds or thousands you wanted to clear them out you can just do clear access list if i can type right counters and if you were to hit question mark you could specify a particular access list but this is going to do all the access lists so if i had access list with numbers or access lists with names it's going to clear the counters for everything but if you wanted to do a specific acl you can and that's about it like i said we met our objective only the noc pc is allowed to ssh and we didn't apply any sort of acls on the physical interfaces gig zero zero or zero slash one we applied it to the vty line itself alright everyone i hope you enjoyed this lab and learned something if you did don't forget to hit the subscribe button below so you can stay up to date on my latest video thanks everyone have a great day and lab on

Info

Channel: Network Engineer Pro

Views: 580

Rating: undefined out of 5

Keywords: cisco, ccna, packet tracer, configuring an ACL on VTY Lines, ssh, telnet, ccnp, ccie, ACL on VTY Lines, access control list, extended access list, extended access list tutorial cisco, configure ACL on VTY line (SSH/Telnet), Access Control List, ios, acl, How to Configure Extended ACL Cisco, Extended AC, create ACL, create extended ACL, ccent, ACL cisco, named acl, cisco router training, standard acl, access control list explained, access control list cisco, access control list ccna

Id: yo4zSiOzh-E

Channel Id: undefined

Length: 9min 8sec (548 seconds)

Published: Sat Mar 27 2021