V-215812
CAT IIThe Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.
- Ships Affected
- 1
- Total Findings
- 1
- Open
- 0
- Closed
- 1
Check Text
Review the Cisco router configuration to verify that it is compliant with this requirement.
Step 1: Verify that the line vty has an ACL inbound applied as shown in the example below.
line vty 0 1
access-class MANAGEMENT_NET in
transport input ssh
Step 2: Verify that the ACL permits only hosts from the management network to access the router.
ip access-list extended MANAGEMENT_NET
permit ip x.x.x.0 0.0.0.255 any
deny ip any any log-input
If the Cisco router is not configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies, this is a finding.
Fix Text
Configure the Cisco router to restrict management access to specific IP addresses via SSH as shown in the example below.
SW2(config)#ip access-list standard MANAGEMENT_NET
SW2(config-std-nacl)#permit x.x.x.0 0.0.0.255
SW2(config-std-nacl)#exit
SW2(config)#line vty 0 1
SW2(config-line)#transport input ssh
SW2(config-line)#access-class MANAGEMENT_NET in
SW2(config-line)#end
STIG Reference
- STIG
- Cisco IOS XE Router NDM Security Technical Implementation Guide
- Version
- 3
- Release
- 7
- Rule ID
- SV-215812r1137875_rule
All Occurrences
This vulnerability appears on 1 ship(s)
| Ship | Hull # | Source File | Status | Assigned To | Scan Date | Actions |
|---|---|---|---|---|---|---|
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONTPOINTGTWYRTR/Checklist/MONTPOINTGTWYRTR_CiscoXERtrNDM_V3R5_20251023-150045.ckl | Unassigned | 2026-01-14T12:57:25.013310 | View in Context |