Configuring a Standard ACL to Secure a VTY Port

By default, all Cisco router and switches cannot be accessed remotely via a terminal program like PuTTy and Tera Term. There are two methods of remote connectivity either vty connection or SSH connection. The SSH provides encrypted connectivity and it is recommended from Cisco for remote administration. But, If the Cisco IOS on your router does not support SSH, then we can use the vty connection. We can improve the security of administrative lines by restricting VTY port access. VTY port access restriction allows you to define which IP addresses are allowed Telnet access to the router EXEC process. We can also control administrative workstation using an ACL and an access-class statement configured on VTY lines.

The access-class command configured in line configuration mode restricts connections between a particular VTY/SSH and the addresses in an access list. Both standard and extended access lists apply to packets that travel through a router. An outbound Telnet extended ACL does not prevent router-initiated Telnet sessions, by default.

Filtering Telnet traffic is usually considering an extended IP ACL function because it filters a higher-level protocol. But, because the access-class command is used to filter incoming or outgoing Telnet/SSH sessions by source address, so a standard ACL can be used. The access-class command syntax is the following:

Router(config-line)# access-class <access-list-number> { in |out }

The parameter “in” restricts incoming connections and the parameter “out” restricts outgoing connection between the addresses in the access list and the Cisco device We can allow a range of addresses or also specific hosts. The below example allows a range of addresses to access VTY lines 0-4 to router3. The network 192.168.1.0 is permitted in the ACL to access VTY lines 0-4 and deny all other networks for accessing VTY port.

vty port

Verifying a Standard ACL used to secure a VTY Port

After configuring and applying ACL to VTY lines, it is important to verify that it is working as expected. The figure below shows a computer attempting to access R3 using telnet. Access list 2 has been configured on the VTY lines on R3. PC0 cannot access R3 but the attempt of PC1 is successfully accessed the R3. This is the expected result as we configured. We can also use the show access-lists command after the telnet attempts by PC0 and PC1. The ACL statistics will show the match in the permit line and deny line.

Configuring a Standard ACL to Secure a VTY Port 2