1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Access lists control the transmission of packets on an interface, control Virtual Terminal Line (VTY) access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.

Rationale:

VTY ACLs control what addresses may attempt to log in to the router. Configuring VTY lines to use an ACL, restricts the sources where a user can manage the device. You should limit the specific host(s) and or network(s) authorized to connect to and configure the device, via an approved protocol, to those individuals or systems authorized to administer the device. For example, you could limit access to specific hosts, so that only network managers can configure the devices only by using specific network management workstations. Make sure you configure all VTY lines to use the same ACL.

Impact:

Organizations can reduce the risk of unauthorized access by implementing access-lists for all VTY lines. Conversely, using VTY lines without access-lists increases the risk of unauthorized access.

Solution

Configure the VTY ACL that will be used to restrict management access to the device.

hostname(config)#access-list <vty_acl_number> permit tcp <vty_acl_block_with_mask> any
hostname(config)#access-list <vty_acl_number> permit tcp host <vty_acl_host> any
hostname(config)#deny ip any any log

See Also

https://workbench.cisecurity.org/files/3762