From: Roberts, Larry (Larry.Roberts@xxxxxxxxxxxx)
Date: Thu Aug 29 2002 - 12:34:07 GMT-3
Just a thought....
Can you do extended access-list's on the VTY ports that way, I mean set the
IP that they can telnet to?
I would try going with a standard access-list with permit for the 10/8
network and 192.168.10/24 network and applying that.
I know that sounds weird, but vty is telnet to the router, so I think it
applies no matter what interface they telnet to.
If they can't reach other address's but they can reach the 192.168.0.1 then
they should be ok to go.
Just my $.02
Thanks
Larry
-----Original Message-----
From: roel.fonteyn@belgacom.be [mailto:roel.fonteyn@belgacom.be]
Sent: Thursday, August 29, 2002 6:11 AM
To: ccielab@groupstudy.com
Subject: Restrict vty telnet TO only one ip address on the router -- NOT F
ROM
Hi group,
Sorry if this mail comes in double -- I waited half a day with no result.
No lab scenario, just a real life question.
I've got a client who uses vrf light/multi vrf on a router(7200). clients
who are in a vrf are not allowed to telnet towards the router before they
passed the FW (no NAT). Therefore, my idea was:
create a seperate loopback for normal routing table and another for vrf
routing table. create an access-list 1xx which allows IP traffic from
certain ranges to a specific host address (i.e. access-list 150 permit ip
10.0.0.0 0.0.0.255 host 192.168.0.1).
When I apply this access-list to a vty (for testing purpose not all of them,
thank God), I can't login anymore. Anybody has an idea how to solve this.
config:
...
ip access-list 150 permit ip 10.0.0.0 0.0.0.255 host 192.168.0.1 !/
normal range
ip access-list 150 permit ip 192.168.10.0 0.0.0.255 host 192.168.0.1 !/
range within vrf
...
line vty 0 3
login local !/ I'm still able to do 4 telnet sessions
line vty 4
login local
access-class 150 in !/ fifth session always get refused, unless I remove
the access-class.
end
Mvg/Rgrds,
Roel
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:42 GMT-3