User Tools

Site Tools


tech:network:cisco:vty-acl-restriction:vty-acl-restriction

VTY access restriction using ACL

VTY(Virtual Teletype)

Virtual Lab 1-2

R1#sh ver | i Version
Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.5(3)M, RELEASE SOFTWARE (fc1)

minimum authentication configuration.

conf t
!
enable password cisco2
line vty 0 15
password cisco1
login
transport input all
exit
!
end
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#!
R1(config)#enable password cisco2
R1(config)#line vty 0 15
R1(config-line)#password cisco1
R1(config-line)#login
R1(config-line)#transport input all
R1(config-line)#exit
R1(config)#!
R1(config)#end
R1#
*Apr  1 23:18:37.749: %SYS-5-CONFIG_I: Configured from console by console
R1#sh run | section vty
line vty 0 4
 password cisco1
 login
 transport input all
line vty 5 15
 password cisco1
 login
 transport input all
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#!
R2(config)#enable password cisco2
R2(config)#line vty 0 15
R2(config-line)#password cisco1
R2(config-line)#login
R2(config-line)#transport input all
R2(config-line)#exit
R2(config)#!
R2(config)#end
R2#
*Apr  1 23:18:38.003: %SYS-5-CONFIG_I: Configured from console by console
R2#sh run | section vty
line vty 0 4
 password cisco1
 login
 transport input all
line vty 5 15
 password cisco1
 login
 transport input all

telnet from PC-1, 2

telnet 192.168.0.254
telnet 192.168.3.1
root@Python,Go,Perl,PHP-1:~# telnet 192.168.0.254
Trying 192.168.0.254...
Connected to 192.168.0.254.
Escape character is '^]'.

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
R1>logout
Connection closed by foreign host.


root@Python,Go,Perl,PHP-1:~# telnet 192.168.3.1
Trying 192.168.3.1...
Connected to 192.168.3.1.
Escape character is '^]'.

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
R2>logout
Connection closed by foreign host.
root@Python,Go,Perl,PHP-2:~# telnet 192.168.0.254
Trying 192.168.0.254...
Connected to 192.168.0.254.
Escape character is '^]'.

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
R1>logout
Connection closed by foreign host.
root@Python,Go,Perl,PHP-2:~# telnet 192.168.3.1
Trying 192.168.3.1...
Connected to 192.168.3.1.
Escape character is '^]'.

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
R2>logout
Connection closed by foreign host.

inbound

access-list 1 permit host 192.168.0.2
line vty 0 15
access-class 1 in
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#access
R1(config)#access-list 1 per
R1(config)#access-list 1 permit host 192.168.0.2
R1(config)#vty 0 15
               ^
% Invalid input detected at '^' marker.

R1(config)#line vty 0 15
R1(config-line)#access
R1(config-line)#access-class 1 in
R1(config-line)#access-class 1 in
R1(config-line)#^Z
R1#
*Apr  1 23:35:17.795: %SYS-5-CONFIG_I: Configured from console by console

Verification

root@Python,Go,Perl,PHP-1:~# telnet 192.168.0.254
Trying 192.168.0.254...
telnet: Unable to connect to remote host: Connection refused
root@Python,Go,Perl,PHP-2:~# telnet 192.168.0.254
Trying 192.168.0.254...
Connected to 192.168.0.254.
Escape character is '^]'.

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
R1>logout
Connection closed by foreign host.

outbound

additional configuration to SW1

en
conf t
!
enable password cisco2
line vty 0 15
password cisco1
login
transport input all
exit
!
end
SW1>en
SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#!
SW1(config)#enable password cisco2
SW1(config)#line vty 0 15
SW1(config-line)#password cisco1
SW1(config-line)#login
SW1(config-line)#transport input all
SW1(config-line)#exit
SW1(config)#!
SW1(config)#end
SW1#
*Apr  1 23:38:57.883: %SYS-5-CONFIG_I: Configured from console by console
SW1#
SW1#
SW1#
SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#int vlan 1
SW1(config-if)#ip addr 192
*Apr  1 23:40:04.418: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed st
SW1(config-if)#ip addr 192.168.1.253 255.255.255.0
% 192.168.1.0 overlaps with GigabitEthernet0/0
SW1(config-if)#ip addr 192.168.5.254 255.255.255.0
SW1(config-if)#iext
                ^
% Invalid input detected at '^' marker.

SW1(config-if)#exit
SW1(config)#end
SW1#
*Apr  1 23:41:32.127: %SYS-5-CONFIG_I: Configured from console by console
SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#router ospf 1
SW1(config-router)#network 192.168.5.0 255.255.255.0
% Incomplete command.

SW1(config-router)#network 192.168.5.0 0.0.0.255 area 0
SW1(config-router)#int vlan 1
SW1(config-if)#no shut
SW1(config-if)#
*Apr  1 23:43:46.462: %LINK-3-UPDOWN: Interface Vlan1, changed state to up
*Apr  1 23:43:47.463: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
R1#ping 192.168.5.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 192.168.5.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 192.168.5.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 192.168.5.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/9/21 ms
R1#telnet 192.168.5.254
Trying 192.168.5.254 ... Open

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
SW1>logout

[Connection to 192.168.5.254 closed by foreign host]
R1#


R1#telnet 192.168.3.1
Trying 192.168.3.1 ... Open

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
R2>logout

[Connection to 192.168.3.1 closed by foreign host]
R1#
  • R1
access-list 2 permit host 192.168.3.1
line vty 0 15
access-class 2 out
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#access-list 2 permit host 192.168.3.1
R1(config)#line vty 0 15
R1(config-line)#access-class 2 out
R1(config-line)#exit
R1(config)#^Z
R1#
*Apr  1 23:51:05.016: %SYS-5-CONFIG_I: Configured from console by console

Verification

telnet

R1→SW1

R1#telnet 192.168.5.254
Trying 192.168.5.254 ... Open

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
User Access Verification

Password:
% Password:  timeout expired!
Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
SW1>logout

[Connection to 192.168.5.254 closed by foreign host]
R1#telnet 192.168.3.1
Trying 192.168.3.1 ... Open

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
R2>logout

[Connection to 192.168.3.1 closed by foreign host]

telnet successful…

R1#sh run | sec line vty
line vty 0 4
 access-class 1 in
 access-class 2 out
 password cisco1
 login
 transport input all
line vty 5 15
 access-class 1 in
 access-class 2 out
 password cisco1
 login
 transport input all
R1#sh acc
R1#sh access-li
R1#sh access-lists 2
Standard IP access list 2
    10 permit 192.168.3.1
conf t
access-list 2 deny any
R1#sh access-lists 2
Standard IP access list 2
    10 permit 192.168.3.1
    20 deny   any

still success…

hmmm???

this terminal console access con0. may this access-class 2 out works only vty session?

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip acce
R1(config)#ip access-list sta
R1(config)#ip access-list standard 2
R1(config-std-nacl)#no 20
R1(config-std-nacl)#^Z
R1#conf t
*Apr  2 00:03:58.458: %SYS-5-CONFIG_I: Configured from console by console
R1#sh access-lists 2
Standard IP access list 2
    10 permit 192.168.3.1

try again another path

  • PC-2→R1→SW1
root@Python,Go,Perl,PHP-2:~# telnet 192.168.0.254
Trying 192.168.0.254...
Connected to 192.168.0.254.
Escape character is '^]'.

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
R1>telnet 192.168.5.254
Trying 192.168.5.254 ...
% Connections to that host not permitted from this terminal
  • PC-2→R1→R2
root@Python,Go,Perl,PHP-2:~# telnet 192.168.0.254
Trying 192.168.0.254...
Connected to 192.168.0.254.
Escape character is '^]'.

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
R1>telnet 192.168.3.1
Trying 192.168.3.1 ... Open

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
R2>sh users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:44:46
*578 vty 0                idle                 00:00:00 192.168.1.1

  Interface    User               Mode         Idle     Peer Address

R2>logout

[Connection to 192.168.3.1 closed by foreign host]
R1>sh users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:01:01
*578 vty 0                idle                 00:00:00 192.168.0.2

  Interface    User               Mode         Idle     Peer Address

R1>logout
Connection closed by foreign host.

OK, I get expected result.

finally, test the PC1-1 to direct telnet access.
It's must be successful.
because of above access-class 2 out command not applied no vty session traffic from R1.

  • PC-1→SW1
root@Python,Go,Perl,PHP-2:~# telnet 192.168.5.254
Trying 192.168.5.254...
Connected to 192.168.5.254.
Escape character is '^]'.

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
User Access Verification

Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
SW1>logout
Connection closed by foreign host.
  • PC-1→SW2
root@Python,Go,Perl,PHP-2:~# telnet 192.168.3.1
Trying 192.168.3.1...
Connected to 192.168.3.1.
Escape character is '^]'.

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
R2>logout
Connection closed by foreign host.
root@Python,Go,Perl,PHP-2:~#

OK!

References

tech/network/cisco/vty-acl-restriction/vty-acl-restriction.txt · Last modified: 2018/04/02 09:15 by wnoguchi