https://community.cisco.com/t5/network-access-control/ios-15-and-vty-acl-problem/m-p/1455020#M312798 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Are you doing the ssh from the permitted subnet block ? </P><P></P><P>have you enabled logs in the router to check the syslogs to see what's exactly happening when you try to ssh?</P><P></P><P>regds</P></BODY></HTML> Fri, 02 Jul 2010 10:44:04 GMT spremkumar 2010-07-02T10:44:04Z https://community.cisco.com/t5/network-access-control/ios-15-and-vty-acl-problem/m-p/1455019#M312797 <P>Dear Community!</P><P></P><P>We have recently installed a C2951 router running 15.0(1) IOS version. However, we have a problem configuring VTY ACL. While trying to login to the router via SSH, the VTY ACL has some matches regarding the SSH client IP address, but the router refuses the SSH connection when the "VTY_ACL" standard named ACL is configured on line vty (marked with red color). If no VTY ACL has assinged to the router line vty, the SSH connection is OK.</P><P></P><P>The current configuration seems to be OK, see below:</P><P></P><P>...</P><P>[There is some AAA configuration, including TACACS+ and finally the local auth at the end of the sequence list.)</P><P>...</P><P>line vty 0 4</P><P><SPAN style="color: #ff0000;">access-class VTY_ACL in</SPAN></P><P> timeout login response 10<BR /> transport preferred none<BR /> transport input ssh<BR /> transport output ssh<BR />!</P><P>ip access-list standard VTY_ACL<BR /> permit [host IP]<BR />permit [subnet range] 0.0.0.255<BR />!</P><P></P><P>Could someone help us to solve this problem? Does anybody have any experience about this issue?</P><P></P><P>Thanks in advance!</P><P></P><P>Best Regards,</P><P></P><P>Belabacsi</P> Mon, 11 Mar 2019 00:13:54 GMT https://community.cisco.com/t5/network-access-control/ios-15-and-vty-acl-problem/m-p/1455019#M312797 Bela Mareczky 2019-03-11T00:13:54Z https://community.cisco.com/t5/network-access-control/ios-15-and-vty-acl-problem/m-p/1455020#M312798 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Are you doing the ssh from the permitted subnet block ? </P><P></P><P>have you enabled logs in the router to check the syslogs to see what's exactly happening when you try to ssh?</P><P></P><P>regds</P></BODY></HTML> Fri, 02 Jul 2010 10:44:04 GMT https://community.cisco.com/t5/network-access-control/ios-15-and-vty-acl-problem/m-p/1455020#M312798 spremkumar 2010-07-02T10:44:04Z https://community.cisco.com/t5/network-access-control/ios-15-and-vty-acl-problem/m-p/1455021#M312799 <HTML><HEAD></HEAD><BODY><P>Dear spremkumar!</P><P></P><P>Thanks for Your help, sorry for late answer. The problem is still exists: the VTY_ACL permits the source IP address originating SSH connection, and the ACL has permit matches...</P><P></P><P>We have tried to upgrade IOS image to v15-T release, but no luck <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> We have configured another router running IOS v15 also, but it is the same...</P><P></P><P>Do You have any experience about this issue?</P><P></P><P>Thanks and BR</P><P></P><P>Belabacsi</P></BODY></HTML> Fri, 16 Jul 2010 09:52:49 GMT https://community.cisco.com/t5/network-access-control/ios-15-and-vty-acl-problem/m-p/1455021#M312799 Bela Mareczky 2010-07-16T09:52:49Z https://community.cisco.com/t5/network-access-control/ios-15-and-vty-acl-problem/m-p/1455022#M312800 <HTML><HEAD></HEAD><BODY><P>Dear spremkumar!</P><P></P><P>Thanks for Your help, resolved <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>The problem was that, in IOS v15 the per-VRF ACL configuration requires the "in vrf-also" parameter.</P><P></P><P>!</P><P>line vty 0 4<BR /> <SPAN style="color: #339966;">access-class VTY_ACL in vrf-also</SPAN><BR /> timeout login response 10<BR /> transport preferred none<BR /> transport input ssh<BR /> transport output ssh<BR />!</P><P></P><P>Regards,</P><P></P><P>Belabacsi</P><P>Budapest, Hungary</P></BODY></HTML> Mon, 16 Aug 2010 06:36:05 GMT https://community.cisco.com/t5/network-access-control/ios-15-and-vty-acl-problem/m-p/1455022#M312800 Bela Mareczky 2010-08-16T06:36:05Z https://community.cisco.com/t5/network-access-control/ios-15-and-vty-acl-problem/m-p/1455023#M312801 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>What you see is the correct behavior. This was a problem in earlier versions of IOS (allowing ssh even without the "vrf-also" option) that we had corrected in 15.0(1)M and later, please see:</P><P></P><P><A href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsv86113">http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsv86113</A></P><P></P><P>Thanks,</P><P>Wen</P><P><SPAN><BR /></SPAN></P></BODY></HTML> Mon, 16 Aug 2010 16:43:27 GMT https://community.cisco.com/t5/network-access-control/ios-15-and-vty-acl-problem/m-p/1455023#M312801 wzhang 2010-08-16T16:43:27Z