Unsolved
This post is more than 5 years old
13 Posts
0
1385
August 29th, 2016 08:00
trouble applying access-list
Hi, I have a S3048 running Dell IOS firmware 9.10. I would like to restrict access for telnet and ssh to the switch but i'm having trouble getting this to work. So what i have is:
ip access-list extended telssh
seq 10 permit 22 192.168.5.0/24 host 192.168.5.1
seq 11 permit 23 192.168.5.0/24 host 192.168.5.1
seq 12 permit 22 192.168.5.0/24 host 10.0.200.1
seq 13 permit 23 192.168.5.0/24 host 10.0.200.1
seq 20 deny 22 any 192.168.5.1/24
seq 21 deny 23 any 192.168.5.1/24
seq 22 deny 22 any 10.0.200.1/24
seq 23 deny 23 any 10.0.200.1/24
seq 100 permit ip any any
I've applied this access policy to three interfaces - 2 vlan ones and 1 real interface via the 'ip access-group' command however it's still possible to get ssh and telnet access from any network. The switch management ip is the 192.168.5.1 address and the 10.0.200.1 address is on an interface port. I'd like to restrict access for telnet and ssh from pretty much everyting except the management port and designated ip addresses that would be arriviong inbound via the port with address 10.0.200.1. If i take the seq 100 permit ip any any out of the access rule then this blocks ALL traffic from these ports, if i put it back then traffic flows again but so does telnet and ssh - Is what i would like to do possible and can somebody point me as to where i'm going wrong ?
rogerv111
13 Posts
0
August 30th, 2016 07:00
daniel
Thanks, think i see what you are trying here, i added a couple of rules to test this approach for just the port 22, however same effect - ie it does not seem to deny a connection to port 22. Perhaps i'm looking at this the wrong way - is it possible to block (deny) traffic destined for the the switch itself ?. Maybe i should be thinking about using SSH keys perhaps as a way to secure ssh access ?
Roger