Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
4
Helpful
4
Replies

ACL on VTY Line Blocks All Connections

Go to solution
Matthew Martin
Level 5
Level 5

‎10-18-2024 01:43 PM

I was on our ISR4551-X and I noticed the ACL we use for securing the VTY lines wasn't being applied on "line vty 0 4"...

 

#sho ver | inc IOS
Cisco IOS XE Software, Version 16.12.07
Cisco IOS Software [Gibraltar], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.7, RELEASE SOFTWARE (fc2)

 

So I added the command "access-class SSH_In in"  to "line vty 0 4" then I tried SSH'ing to the box from a separate terminal window and I just get back connection refused. And nothing showing up in the log that it blocked it, which is also strange...
"ssh: connect to host 192.168.x.yy port 22: Connection refused"

Access list is very simple. Allows private IPs and nothing else.

 

!
ip access-list standard SSH_In
 50 permit 172.16.0.0 0.15.255.255 log
 60 permit 10.0.0.0 0.255.255.255 log
 80 permit 192.168.0.0 0.0.255.255 log
 90 deny   any log
!
!
!
line vty 0 4
 access-class SSH_In in
 privilege level 15
 transport input ssh
!

 

I am currently logged in with a 10.60.115.100 address. If I try to run a new terminal and ssh to the ISR, I get "Connection refused". When this happens I assume I would see something getting logged saying it refused my connection. But nothing is getting added to the log for the failed ssh attempt... Does that mean something else is going on and the deny statement in the ACL isn't getting hit, because I do have the "log" option on there.

I have used a similar ACL on most switches and haven't seen this happen (*minus the 172 line as we've only recently started using that for some things, like VPN). But, I also tried to simplifying the ACL and only including "permit 10.0.0.0 0.255.255.255 log" and it still gets Connection Refused. If I remove the ACL from the vty, no issue.

 

#who
    Line       User       Host(s)              Idle       Location
*866 vty 0     netAdmin   idle                 00:00:00 10.60.115.100

  Interface    User               Mode         Idle     Peer Address

 

Thanks in Advance,
Matt

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jonatan Jonasson
Level 4
Level 4

‎10-18-2024 02:41 PM

Just to be sure, are you by any chance using VRFs on your ISR4551-X? (or the mgmt interface you'r SSH-ing into is in the "mgmt-vrf" or similar).
And if so, you might need "vrf-also" keyword at the end of the access-class statement.

View solution in original post

4 Replies 4

Go to solution
Flavio Miranda
VIP
VIP

‎10-18-2024 01:59 PM

@Matthew Martin 

 If you enable loggin console, still you dont see logs? 

And if you run

show ip access-list SSH_In

 No hit count is shown?

Go to solution
Aref Alsouqi
VIP
VIP

‎10-18-2024 02:20 PM

You would need to apply the access list to all the VTY lines, not only from 0 to 4 as your new connection might be using a higher VTY line than 4 as what happened in the output you shared.

Go to solution
Jonatan Jonasson
Level 4
Level 4

‎10-18-2024 02:41 PM

Just to be sure, are you by any chance using VRFs on your ISR4551-X? (or the mgmt interface you'r SSH-ing into is in the "mgmt-vrf" or similar).
And if so, you might need "vrf-also" keyword at the end of the access-class statement.

Go to solution
Matthew Martin
Level 5
Level 5

‎10-18-2024 02:58 PM - edited ‎10-18-2024 02:59 PM

Yes, there VTY lines 5 15 already had the ACL applied. But it wasn't until applied to 0 4 when the issue started.

Jonatan, yes... Looks like the management interface we're using has "vrf forwarding Mgmt-intf" configured on it.

While writing this I added vrf-also to the end of the access-class statement. And now it's working!

Thank you all for the replies!

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card