0

I have a Cisco 3750 switch and I want to modify the allow/deny IP addresses that can access it in ssh and "enable" mode. Not sure how, and googling is nearly impossible to get this info it seems.

1 Answers1

1

As far as i know you cannot set permissions for enable mode based on IP Address.

At very least you could control which IPs are allowed to connect to your switch by SSH/Telnet using ACLs, but once they are connected in user mode they are already connected, so they can invoke the enable privileged mode (of course they should know the password to go further...).

To control SSH access based on IP Address using ACL, the approach would be something like :

ip access-list extended Manage-SSH
permit tcp host 192.168.1.10 host 0.0.0.0 eq 22
permit tcp host 192.168.1.11 host 0.0.0.0 eq 22
deny ip any any log

line vty 0 4
access-class Manage-SSH
transport input ssh

EDIT :

How would I add an IP to allow list, and deny all else, or delete an IP from the allow list already there?

For all this you will have to enter config mode and then edit the ACL :

R1#conf terminal
R1(config)#ip access-list extended Manage-SSH

Then, from here :

  • To allow a new ip (192.168.1.12) :

    R1(config-ext-nacl)#permit tcp host 192.168.1.12 host 0.0.0.0 eq 22
R1(config-ext-nacl)#end

  • To delete an ip (192.168.1.12) just prefix the command with no :

    R1(config-ext-nacl)#no permit tcp host 192.168.1.12 host 0.0.0.0 eq 22
R1(config-ext-nacl)#end

  • Deny all else : Already answered if my original answer.

    You need to end your ACL with :

    deny ip any any log

    This means that what is not explicitely permitted with previous permit... command will be denied.

EDIT 2 :

Regarding comments we had, here is a test case.

We are going to :

  1. Create a new allowed access in access-list Manage-SSH
  2. Remove this permission from access-list Manage-SSH

Create :

R1#conf terminal
R1(config)#ip access-list extended Manage-SSH
R1(config-ext-nacl)#permit tcp host 192.168.1.12 host 0.0.0.0 eq 22
R1(config-ext-nacl)#end
R1#show access-lists
Extended IP access list Manage-SSH
    permit tcp host 192.168.1.12 host 0.0.0.0 eq 22
R1#

Delete :

R1#conf terminal
R1(config)#ip access-list extended Manage-SSH
R1(config-ext-nacl)#no permit tcp host 192.168.1.12 host 0.0.0.0 eq 22
R1(config-ext-nacl)#end
R1#show access-lists
Extended IP access list Manage-SSH
R1#

The access-list is now empty.

Now do the same on your ACL 115 (replace Manage-SSH by 115 in all commands) but warning !! Seems that you don't really know what you are doing, so go carefully if we are talking about a live switch.

krisFR
  • 12,830
  • 3
  • 31
  • 40
  • My previous tech did it and it allowed only my home office and data center to access the switch. However, I'm looking to whitelist one more IP and not sure how. Is there a way to *View* what is currently allowed and denied? –  Apr 05 '14 at 19:40
  • @Chad run `show access-lists` to display ACLs and permissions for each – krisFR Apr 05 '14 at 20:17
  • Thank you. So could I trouble you for two basic examples? How would I add an IP to allow list, and deny all else, or delete an IP from the allow list already there? –  Apr 06 '14 at 20:22
  • @Chad Ok, i've edited my answer. Do not hesitate to post the output of `show access-lists` if you want me to be more precise regarding your case. – krisFR Apr 06 '14 at 21:14
  • Thank you, I will try this. One question though, what is the "0.0.0.0" and "eq" and "22" mean? I'm guessing 22 is ssh port, naturally but the other two I'm not sure what they are. –  Apr 07 '14 at 18:42
  • By the way, I tried to run this "no permit ip host xxx.xxx.xxx.xxx any" since this is how it appears in show access-lists (actual IP tho) and did 'end' after. Then I re-ran show access-lists, that IP is still there? –  Apr 07 '14 at 18:54
  • @Chad `0.0.0.0` means "any". `eq` means "equals" and `22` is the TCP port (ssh). If you can still see the IP after `no permit...` this could be because it is defined multiple times. I would like to see it by myself !! can you update your post with this ? – krisFR Apr 07 '14 at 18:59
  • Ok view the paste here http://tny.cz/30bf47b2 –  Apr 07 '14 at 19:04
  • @Chad Warning ! you are messing up things !! You are editing access-list called `Manage-SSH` which is empty. The IP you talk about is defined into access-list named `115`. These are two different access-list. I have edited my answer to add a test case. – krisFR Apr 07 '14 at 19:18
  • Thanks. I tried to do the same for 115, but still there. Same results: http://tny.cz/7326e673 –  Apr 07 '14 at 19:23
  • @Chad No !! run `ip access-list extended 115` – krisFR Apr 07 '14 at 19:24
  • Bingo got it :) Thanks so much, that was my oversight. By the way, should I just wipe out 115 and do the regular "ip access-list extended Manage-SSH" instead? If yes, would that simply be a matter of deleting all 4 instances from 115 and adjusting the default one? –  Apr 07 '14 at 19:26
  • `ip access-list extended Manage-SSH` is not regular. I have just use this name as a sample. You can use whatever name you want : `115` is as valid as `Manage-SSH`. The second is just more readable because its name is more explicit. But warning, your actual access-list 115 allows more than tcp port 22 (you have any), so this ACL could be used for other stuff like filtering access to a particular VLan. I cannot give further advices without seeing your actual full running config (`show running-config`) – krisFR Apr 07 '14 at 19:36