cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
707
Views
0
Helpful
9
Replies

Allow http and deny ssh from the internet

christoffer92
Level 1
Level 1

Screenshot_2022-11-13_22-31-06.png

Hello! I am using Packet Tracer 8.2 and am trying to learn ACLs without success.

These is the ACL on the Router 2:

Extended IP access list denywww

10 permit tcp any host 192.168.2.2 eq www

20 deny tcp any host 192.168.2.2 eq 22

30 permit ip any any (2 match(es))

 

If I remove 30 permit ip any any it blocks everything, but if I have it there it allows everything.

On the switch:

Standard IP access list ssh-in

10 permit 192.168.2.0 0.0.0.255

20 deny any

access-class ssh-in in

 

All clients can still connect using SSH. I don't understand at all

 

Thanks!

9 Replies 9

Thomas Schmitt
Level 1
Level 1

Hi, the first and most important question is, where do you apply the ACL (interface, control plane, line vty, console etc)  and direction ( in or out)

On the switch:

line vty 0 4

access-class ssh-in in

login local

transport input ssh

 

 

On the router:

interface GigabitEthernet0/0

ip address 192.168.2.1 255.255.255.0

ip access-group denywww in

 

Thanks!

two point :-
1-
R2 have two interface do you sure you apply ACL in right interface, 
try apply same ACL in both R2 interface and check 

2-
how is client and how is server in both HTTP and SSH ??

The ACL is applied on the correct interface. The switch is SSH enabled and the server is HTTP enabled

So there is two different device and two different service and same host ip??

That unusual,


@christoffer92 wrote:

Extended IP access list denywww

10 permit tcp any host 192.168.2.2 eq www

20 deny tcp any host 192.168.2.2 eq 22

30 permit ip any any (2 match(es))

 

If I remove 30 permit ip any any it blocks everything, but if I have it there it allows everything.


@christoffer92 there is an implicit deny at the end of an ACL (not displayed in the configuration), so when you removed "30 permit ip any any" traffic not matching any of the rules above would be denied by the implicit  deny rule.

@Rob Ingram I see. But how come rule 30 permits traffic that should be blocked?

@christoffer92 on the ACL - denywww - ACE #20 denies traffic from "any" source to the destination 192.168.2.2 - but the IP address of Gi0/0 (where you've applied the ACL) is 192.168.2.1, so traffic won't match ACE #20. Therefore the ACE rule #20 is incorrect, the destination is not 192.168.2.2.  Hence why it matches ACE #30

As to why the connection does not match the other ACL "ssh-in" what is the source IP address of the connection?

Enable  logging and check (assuming PT supports it).

 

@Rob Ingram 

Thanks for response! I tried the following but still getting the same result

Extended IP access list denywww

10 permit tcp any host 192.168.2.3 eq www

20 deny tcp any host 192.168.2.1 eq 22

30 permit ip any any (45 match(es))

 

Extended IP access list denywww

10 permit tcp any host 192.168.2.3 eq www

20 deny tcp any any eq 22

30 permit ip any any (48 match(es))

 

For ACL ssh-in the source is 192.168.1.0.

 

How to enable logging?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: