Re: Network error Using ACL in VTY conection

grzegorzkuras · ‎02-19-2020

Helo I have SW c3650. I've configured SSH, RSA Key and line VTY. AAA new model is already done.

Before I put ACL in VTY line I could reach my switch via ssh but when i put ACL i have network error.

i have create :

group object MGMT_GROUP

range x.x.x.x x.x.x.x - ip adresses of managament IP

ip access-list extended MGMT

permit tcp object-group MGMT_GROUP any eq 22 log-input

deny tcp any any range 0 65535 log-input

deny ip any any log-input

In VTY 0 4

access-class MGMT in

And my access via ssh is not working... when i put....no access-class MGMT I can connect my switch via ssh

Pease any sugestions ?

Pawan Raut · ‎02-19-2020

I see the example where extended ACL dont work as expected on line vty. I would suggest to have standard access list and just allow ssh.

access-list 11 permit x.x.x.x x.x.x.x

!

line vty 0 4

transport input ssh

access-class 11 in

!

Please rate for useful post

grzegorzkuras · ‎02-19-2020

I've tried standard access list, such as group object maped to named acl and it doesnt work.

Muhammad Zahid · ‎02-19-2020

Object-group doesn't support in in standard ACLs, you can add host or network subnet in standard ACL to filter VTY access, try following config example.

ip access-list standard VTY_ALLOW
permit 10.1.1.1
permit 10.2.1.0 0.0.0.127

line vty 0 15
transport input ssh
access-class VTY_ALLOW in

-Muhammad Zahid

Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

grzegorzkuras · ‎02-19-2020

I have tried standard acl and it doesnt work..... moreover my config works in Packet Tracer ...

Muhammad Zahid · ‎02-21-2020

What's the issue you are facing? is it blocking legitimate connection or not blocking any ssh request at all ?
Verify either any traffic hitting to your acl "show access-list VTY_ACL"

Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies