ACL problem on 1841

Joshua Engels · ‎09-08-2009

I am having a problem with and ACL blocking SSH from the outside interface. I do not want users to SSH my router from the outside at all. Here is my ACL and the way it is applied to the interface that faces the internet.

ip access-list extended OUTSIDE_IN

permit udp any any eq isakmp

permit esp any any

permit gre any any

deny ip any any log

interface FastEthernet0/0

description *****WAN_CONNECTION*****

ip address x.x.x.x 255.255.255.x

ip access-group OUTSIDE_IN in

ip nat outside

ip inspect FW_OUT out

ip virtual-reassembly

duplex auto

speed auto

I have a explicit deny all and it still allows SSH sessions from the outside. This seems to be so simple and I have did this on a test router and it works, just not on my production router. Any idea's?

Attached is the entire config.

Kureli Sankar · ‎09-08-2009

If you do not want anyone to ssh to the router then you can remove this line

line vty 0 4

transport input ssh -----> remove

transport output ssh

Or you can do an acl like this one below

conf t

access-list 10 permit 10.10.10.0 0.0.0.255

line vty 0 4

access-class 10 in

This will only allow ip addresses in the 10.10.10.0/24 subnet to be able to ssh to the router.

Collin Clark · ‎09-08-2009

If you remove transport input ssh, no one can SSH into the router. The second option is correct. Create an ACL that allows the IP's that you want to be able to connect to the router.

access-list 50 permit 192.168.1.55

Then apply the ACL to the VTY lines.

line vty 0 4

access-class 50 in

Joshua Engels · ‎09-08-2009

Spoke with Cisco TAC. Apparently there is a bug with the c1841-advipservicesk9-mz.124-15.XY.bin image file on ACL's and that is why the ACL is not working.