1 Reply Latest reply on Feb 23, 2017 7:22 PM by jayh

    Can I disable router login from certain network? (DMZ)

    tdssupport New Member

      I have setup a DMZ basically for a WAP to sit on for customer wifi use. I have isolated that network to Port 8 and 172.20.1.x. I want to disable anyone on the 172.20.1.x network from being able to login into the router. I do not see an option for doing that however.

        • Re: Can I disable router login from certain network? (DMZ)
          jayh Hall_of_Fame

          1. Create an access list including your trusted management networks (preferred) or denying your untrusted networks or both. Don't forget the rules for access lists. They're processed in order top-down and there is an implicit deny any at the end. So, if you just want to deny a specific subnet, follow that deny statement with a "permit any".

           

          ip access-list standard admin-access-list

            permit [network] [inverse mask]

            deny 172.20.1.0 0.0.0.255

           

          2. Apply this access list to router administration.

           

          line telnet 0 4

            ip access-class admin-access-list in

           

          line ssh 0 4

            ip access-class admin-access-list in

           

          http ip access-class admin-access-list in

          http ip secure-access-class admin-access-list in

           

          3. If you have SNMP enabled on the device, lock it down similarly.

           

          You may want to do this from the console in case you make a mistake and lock yourself out. "reload in 10" can also help if you need to do it remotely.