Solved: ssh/telnet with acl

knanyhy011 · ‎12-24-2023

hello friends I have made an acl to restrict vlans 102 , 103 to use telnet & ssh and permit valn 100 the result I have done this but the problem is with vlan100 I can use telnet & ssh with router br1 & br2 but hq router I could not the ping with hq unreachable what is the problem?

BR1#sh ru

Building configuration...

Current configuration : 2429 bytes

!

version 15.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname BR1

!

enable secret 5 xxx

!

no ip cef

no ipv6 cef

!

username cisco secret 5xxx

!

ip domain-name ccna.com

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0/0

no ip address

ip ospf 20 area 0

duplex auto

speed auto

!

interface GigabitEthernet0/0/0.100

encapsulation dot1Q 100 native

ip address 192.168.100.1 255.255.255.240

ip ospf 20 area 0

!

interface GigabitEthernet0/0/0.102

encapsulation dot1Q 102

ip address 192.168.100.65 255.255.255.224

ip helper-address 192.168.100.6

ip ospf 20 area 0

ip access-group 100 in

!

interface GigabitEthernet0/0/0.103

encapsulation dot1Q 103

ip address 192.168.100.33 255.255.255.240

ip helper-address 192.168.100.6

ip ospf 20 area 0

ip access-group 100 in

!

interface GigabitEthernet0/0/1

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/1/0

ip address 10.10.10.2 255.255.255.252

ip ospf 20 area 0

clock rate 2000000

!

interface Serial0/1/1

ip address 10.10.10.6 255.255.255.252

ip ospf 20 area 0

ip access-group 110 out

!

interface Vlan1

no ip address

shutdown

!

interface Vlan102

mac-address 00d0.ba41.0d01

no ip address

!

router ospf 20

log-adjacency-changes

default-information originate

!

ip classless

!

ip flow-export version 9

!

access-list 100 deny tcp any host 10.10.10.5 eq 22

access-list 100 deny tcp any host 10.10.10.5 eq telnet

access-list 100 deny tcp any host 10.10.10.1 eq 22

access-list 100 deny tcp any host 10.10.10.1 eq telnet

access-list 100 deny tcp any host 192.168.100.1 eq 22

access-list 100 deny tcp any host 192.168.100.1 eq telnet

access-list 100 deny icmp any 192.168.100.0 0.0.0.15

access-list 100 permit ip any any

access-list 100 permit tcp any any

access-list 110 permit tcp any host 100.1.1.3 eq www

access-list 110 permit tcp any host 100.1.1.3 eq 443

access-list 110 permit tcp any host 100.1.1.2 eq smtp

access-list 110 permit tcp any host 100.1.1.2 eq pop3

access-list 110 deny tcp any any

!

line con 0

!

line aux 0

!

line vty 0

no login

transport input none

line vty 1 4

password cisco

login

transport input none

line vty 5 15

password cisco

login

!

end

Richard Burts · ‎01-06-2024

Thank you for the configuration of BR1. I believe that I see the problem. Traffic to HQ goes out interface S0/1/1. That interface has an acl applied: ip access-group 110 out. What does this acl do?

access-list 110 permit tcp any host 100.1.1.3 eq www

access-list 110 permit tcp any host 100.1.1.3 eq 443

access-list 110 permit tcp any host 100.1.1.2 eq smtp

access-list 110 permit tcp any host 100.1.1.2 eq pop3

access-list 110 deny tcp any any

All of its permits and denies are specific to tcp. Remembering that in an acl there is an implicit deny any at the end we see that any icmp traffic going to HQ will be denied.That is why your ping and tracert are failing.

HTH

Rick

View solution in original post

balaji.bandi · ‎12-24-2023

ut the problem is with vlan100 I can use telnet & ssh with 
router br1 & br2 but hq router I could not  the ping  with hq unreachable what is the problem?

we do not understand what is HQ IP address here - from what source are you using to reach HQ , where is HQ device configuration here ?

You have ACL here - which deny for IN access-list 100 deny icmp any 192.168.100.0 0.0.0.15

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

knanyhy011 · ‎12-25-2023

SORRY DEAR i have a project of 3 routers hq, br1 and br2 in br1 3 vlans

vlan100=192.168.100.0/28 IN ROUTER BR1

vlan102=192.168.100.64/27 IN ROUTER BR1

vlan103=192.168.100.32/28 IN ROUTER BR1

with acl & ssh/tenet I just permit vlan100=192.168.100.0/28 & deny others, from vlan100 I can log in br1 & br2 but not hq

THE IP FOR HQ ROUTER IS 10.10.10.5 THAT I CAN NOT REACH

THE IP FOR BR1 192.168.100.1 I CAN REACH

THE IP FOR BR2 10.10.10.1 I CAN REACH

You have ACL here - which deny for IN access-list 100 deny icmp any 192.168.100.0 0.0.0.15

yes here i denyed icmp on vlan102,103 in router br1 but not others br2,hq

from what source are you using to reach HQ= VLAN100 IP 192.168.100.5 & 192.168.100.6

where is HQ device configuration here ?

HQ#sh running-config

Building configuration...

Current configuration : 2214 bytes

!

version 15.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname HQ

!

enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

!

no ip cef

no ipv6 cef

!

username cisco secret 5 $1$mERr$3HhIgMGBA/9qNmgzccuxv0

username class secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1

!

ip domain-name ccna3.com

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0/0

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/0/1

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/1/0

ip address 209.1.1.2 255.255.255.252

ip access-group 100 in

ip access-group 100 out

ip nat outside

clock rate 2000000

!

interface Serial0/1/1

ip address 10.10.10.5 255.255.255.252

ip nat inside

clock rate 2000000

!

interface Serial0/2/0

ip address 10.10.10.9 255.255.255.252

ip nat inside

clock rate 2000000

!

interface Serial0/2/1

no ip address

clock rate 2000000

shutdown

!

interface Vlan1

no ip address

shutdown

!

router ospf 10

log-adjacency-changes

network 10.10.10.4 0.0.0.3 area 0

network 10.10.10.8 0.0.0.3 area 0

network 209.1.1.0 0.0.0.3 area 0

default-information originate

!

ip nat pool nat-pool 60.60.60.3 60.60.60.8 netmask 255.255.255.240

ip nat inside source list 1 pool nat-pool overload

ip nat inside source static 192.168.100.6 60.60.60.1

ip nat inside source static 192.168.100.5 60.60.60.2

ip classless

ip route 0.0.0.0 0.0.0.0 209.1.1.1

!

ip flow-export version 9

!

access-list 100 permit tcp any 192.168.100.0 0.0.0.15 established

access-list 100 permit tcp any 192.168.100.64 0.0.0.31 established

access-list 100 permit tcp any 192.168.100.32 0.0.0.15 established

access-list 100 permit tcp any 192.168.100.128 0.0.0.63 established

access-list 100 permit tcp any any

access-list 1 permit 192.168.100.0 0.0.0.15

access-list 1 permit 192.168.100.64 0.0.0.31

access-list 1 permit 192.168.100.32 0.0.0.15

access-list 1 permit 192.168.100.128 0.0.0.63

access-list 1 deny any

!

line con 0

!

line aux 0

!

line vty 0 4

login local

line vty 5 15

no login

!

end

where is BR1 device configuration here ? I did the configure acl in br1 because the vlans in it

BR1#sh running-config

Building configuration...

Current configuration : 2650 bytes

!

version 15.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname BR1

!

enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

!

no ip cef

no ipv6 cef

!

username cisco secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1

!

ip domain-name ccna.com

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0/0

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0/0.100

encapsulation dot1Q 100 native

ip address 192.168.100.1 255.255.255.240

!

interface GigabitEthernet0/0/0.102

encapsulation dot1Q 102

ip address 192.168.100.65 255.255.255.224

ip helper-address 192.168.100.6

!

interface GigabitEthernet0/0/0.103

encapsulation dot1Q 103

ip address 192.168.100.33 255.255.255.240

ip helper-address 192.168.100.6

!

interface GigabitEthernet0/0/1

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/1/0

ip address 10.10.10.2 255.255.255.252

clock rate 2000000

!

interface Serial0/1/1

ip address 10.10.10.6 255.255.255.252

ip access-group 110 out

!

interface Vlan1

no ip address

shutdown

!

interface Vlan102

mac-address 00d0.ba41.0d01

no ip address

!

router ospf 10

log-adjacency-changes

network 192.168.100.0 0.0.0.15 area 0

network 192.168.100.64 0.0.0.31 area 0

network 192.168.100.32 0.0.0.15 area 0

network 10.10.10.4 0.0.0.3 area 0

network 10.10.10.0 0.0.0.3 area 0

default-information originate

!

ip classless

!

ip flow-export version 9

!

access-list 100 deny tcp any host 10.10.10.5 eq 22

access-list 100 deny tcp any host 10.10.10.5 eq telnet

access-list 100 deny tcp any host 10.10.10.1 eq 22

access-list 100 deny tcp any host 10.10.10.1 eq telnet

access-list 100 deny tcp any host 192.168.100.1 eq 22

access-list 100 deny tcp any host 192.168.100.1 eq telnet

access-list 100 deny icmp any 192.168.100.0 0.0.0.15

access-list 100 permit ip any any

access-list 100 permit tcp any any

access-list 110 permit tcp any host 100.1.1.3 eq www

access-list 110 permit tcp any host 100.1.1.3 eq 443

access-list 110 permit tcp any host 100.1.1.2 eq smtp

access-list 110 permit tcp any host 100.1.1.2 eq pop3

access-list 110 deny tcp any any

ip access-list extended ssh/tel

permit tcp 192.168.100.0 0.0.0.15 any eq 22

permit tcp 192.168.100.0 0.0.0.15 any eq telnet

deny tcp any any

!

line con 0

!

line aux 0

!

line vty 0

access-class ssh/tel in

no login

transport input none

line vty 1 4

access-class ssh/tel in

password cisco

login

transport input none

line vty 5 15

password cisco

login

!

end

BR1#

- BR2 HAS ANOTHER RANGE & CONFIGRATION HERE YOU ARE:

BR2#sh running-config

Building configuration...

Current configuration : 2233 bytes

!

version 15.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname BR2

!

ip dhcp excluded-address 192.168.100.129 192.168.100.135

!

ip dhcp pool LAN-POOL

network 192.168.100.128 255.255.255.192

default-router 192.168.100.129

!

no ip cef

no ipv6 cef

!

username cisco secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1

!

ip domain-name ccna.com

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0/0

ip address 192.168.100.129 255.255.255.192

ip access-group 101 in

duplex auto

speed auto

!

interface GigabitEthernet0/0/1

no ip address

duplex auto

speed auto

shutdown

!

interface GigabitEthernet0/0/2

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/1/0

ip address 10.10.10.10 255.255.255.252

!

interface Serial0/1/1

ip address 10.10.10.1 255.255.255.252

!

interface Vlan1

no ip address

shutdown

!

router ospf 10

log-adjacency-changes

network 10.10.10.0 0.0.0.3 area 0

network 10.10.10.8 0.0.0.3 area 0

network 192.168.100.128 0.0.0.63 area 0

default-information originate

!

ip classless

!

ip flow-export version 9

!

access-list 101 permit tcp 192.168.100.128 0.0.0.63 host 192.168.100.5 eq ftp

access-list 101 permit ip 192.168.100.128 0.0.0.63 192.168.100.64 0.0.0.31

access-list 101 deny tcp 192.168.100.128 0.0.0.63 host 10.10.10.9 eq 22

access-list 101 deny tcp 192.168.100.128 0.0.0.63 host 10.10.10.9 eq telnet

access-list 101 deny tcp 192.168.100.128 0.0.0.63 host 10.10.10.2 eq 22

access-list 101 deny tcp 192.168.100.128 0.0.0.63 host 10.10.10.2 eq telnet

access-list 101 deny tcp 192.168.100.128 0.0.0.63 host 192.168.100.129 eq 22

access-list 101 deny tcp 192.168.100.128 0.0.0.63 host 192.168.100.129 eq telnet

access-list 101 permit tcp any host 100.1.1.3 eq www

access-list 101 permit tcp any host 100.1.1.3 eq 443

access-list 101 permit tcp any host 100.1.1.2 eq smtp

access-list 101 permit tcp any host 100.1.1.2 eq pop3

access-list 101 deny tcp any any

access-list 101 deny ip any any

!

line con 0

!

line aux 0

!

line vty 0

no login

transport input none

line vty 1 4

password cisco

login

transport input none

line vty 5 15

password cisco

login

!

end

BR2#

knanyhy011 · ‎12-25-2023

MHM Cisco World · ‎12-25-2023

You want 100'102 to access SSH but the direction of acl is IN?

MHM

knanyhy011 · ‎12-25-2023

no i want 100 access ssh & telnet to hq router & br1 , br2

br1 & br2 i can reach them but hq no

balaji.bandi · ‎12-25-2023

First check your Routing table, From VLAN 100 you able to PING HQ Router 10.10.10.5

for Telnet amd SSH only if you looking from VLAN 100 IP range use below config :

ip access-list extended SSH-TELNET-ACCESS
permit tcp 192.168.100.0 0.0.0.15 any eq 22
permit tcp 192.168.100.0 0.0.0.15 any eq telnet
deny tcp any any eq 22
deny tcp any any eq telnet
permit ip any any
!
line vty 0 15
access-class SSH-TELNET-ACCESS in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

knanyhy011 · ‎12-25-2023

First check your Routing table, From VLAN 100 you able to PING HQ Router 10.10.10.5

no iam not able to ping From VLAN 100 you able to PING HQ Router 10.10.10.5 & i have no idea what is the problem

balaji.bandi · ‎12-26-2023

Looks like you have routing issue here, some how your VLAN 100 IP address does not know how to reach 10.10.10.5

next steps :

1. First remove any ACL added to interface

2. make sure B1 Router able to establish OSPF peer with BR2 and HQ

3. try reachability from BR1 to HQ and HQ to BR1 (by pinging 192.168.100.1 and 10.10.10.5)

show ip route (give you what routes learning)

show ip ospf neigh tell you what are the peers

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

knanyhy011 · ‎12-30-2023

I did what you said exactly I removed any ACL added to interface

i tried reachability from BR1 to HQ and HQ to BR1 (by pinging 192.168.100.1 and 10.10.10.5) and were successful

you can see and the result from the image

show ip route (give you what routes learning)

show ip ospf neigh tell you what are the peers

knanyhy011 · ‎12-30-2023

I ping from vlan 100 to 10.10.10.5 but still unreachable

balaji.bandi · ‎12-30-2023

i tried   reachability from BR1 to HQ and HQ to BR1 (by pinging 192.168.100.1 and 10.10.10.5) and were successful

This looks nice, the output do not show the outcome of this. but i take this as success.

I ping from vlan 100 to 10.10.10.5 but still unreachable

how are you pinging using source or device connected in that vlan

traceroute is your friend, that will tell you where the traffic dropping (if there is no ACL in the path)

traceroute 10.10.10.5

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

knanyhy011 · ‎12-30-2023

i pinging from device connected in that vlan

i used traceroute 10.10.10.5 the result is that

BR1>en

Password:

BR1#traceroute 10.10.10.5

Type escape sequence to abort.

Tracing the route to 10.10.10.5

1 10.10.10.5 11 msec 2 msec 0 msec

i used tracert from pc 10.10.10.5 the result is that

C:\>tracert 10.10.10.5

Tracing route to 10.10.10.5 over a maximum of 30 hops:

1 0 ms 0 ms 0 ms 192.168.100.1

2 0 ms 0 ms 0 ms 192.168.100.1

3 0 ms 0 ms 0 ms 192.168.100.1

4 0 ms 0 ms 0 ms 192.168.100.1

5 0 ms 0 ms 0 ms 192.168.100.1

6 0 ms 0 ms 0 ms 192.168.100.1

7 0 ms 0 ms 1 ms 192.168.100.1

8 0 ms 0 ms 0 ms 192.168.100.1

9 5 ms 0 ms 0 ms 192.168.100.1

10 0 ms 0 ms 0 ms 192.168.100.1

11 0 ms 0 ms 0 ms 192.168.100.1

12 0 ms 0 ms 0 ms 192.168.100.1

13 0 ms 0 ms 0 ms 192.168.100.1

14 0 ms 0 ms 0 ms 192.168.100.1

15 0 ms 0 ms 0 ms 192.168.100.1

16 0 ms 0 ms 1 ms 192.168.100.1

17 0 ms 0 ms 1 ms 192.168.100.1

18 0 ms 0 ms 0 ms 192.168.100.1

19 0 ms 0 ms 1 ms 192.168.100.1

20 0 ms 0 ms 1 ms 192.168.100.1

21 0 ms 0 ms 0 ms 192.168.100.1

22 0 ms 0 ms 0 ms 192.168.100.1

23 0 ms 0 ms 0 ms 192.168.100.1

24 0 ms 0 ms 0 ms 192.168.100.1

25 0 ms 0 ms 0 ms 192.168.100.1

26 0 ms 0 ms 0 ms 192.168.100.1

27 0 ms 0 ms 0 ms 192.168.100.1

28 0 ms 0 ms 0 ms 192.168.100.1

29 0 ms 0 ms 0 ms 192.168.100.1

30 0 ms 0 ms 0 ms 192.168.100.1

Trace complete.

he could not out of br1

balaji.bandi · ‎12-30-2023

Couple of things need to clarify here :

1. SW is Layer 2 right ? there is no Layer 3 interface configured.

When PC try to traceroute 10.10.10./5 not going beyond 192.168.100.1 (i expect this interface confiured on Br1 router)

just tested simple lab (like yours ) - all the configuration of the device attached - so verify the settings. and routing tables.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎12-31-2023

Would you post the current config from BR1?

HTH

Rick