Allow http and deny ssh from the internet

christoffer92 · ‎11-13-2022

Hello! I am using Packet Tracer 8.2 and am trying to learn ACLs without success.

These is the ACL on the Router 2:

Extended IP access list denywww

10 permit tcp any host 192.168.2.2 eq www

20 deny tcp any host 192.168.2.2 eq 22

30 permit ip any any (2 match(es))

If I remove 30 permit ip any any it blocks everything, but if I have it there it allows everything.

On the switch:

Standard IP access list ssh-in

10 permit 192.168.2.0 0.0.0.255

20 deny any

access-class ssh-in in

All clients can still connect using SSH. I don't understand at all

Thanks!

Thomas Schmitt · ‎11-14-2022

Hi, the first and most important question is, where do you apply the ACL (interface, control plane, line vty, console etc) and direction ( in or out)

christoffer92 · ‎11-14-2022

On the switch:

line vty 0 4

access-class ssh-in in

login local

transport input ssh

On the router:

interface GigabitEthernet0/0

ip address 192.168.2.1 255.255.255.0

ip access-group denywww in

Thanks!

MHM Cisco World · ‎11-14-2022

two point :-
1-
R2 have two interface do you sure you apply ACL in right interface,
try apply same ACL in both R2 interface and check

2-
how is client and how is server in both HTTP and SSH ??

christoffer92 · ‎11-14-2022

The ACL is applied on the correct interface. The switch is SSH enabled and the server is HTTP enabled

MHM Cisco World · ‎11-14-2022

So there is two different device and two different service and same host ip??

That unusual,

Rob Ingram · ‎11-14-2022

@christoffer92 wrote:

Extended IP access list denywww

10 permit tcp any host 192.168.2.2 eq www

20 deny tcp any host 192.168.2.2 eq 22

30 permit ip any any (2 match(es))

If I remove 30 permit ip any any it blocks everything, but if I have it there it allows everything.

@christoffer92 there is an implicit deny at the end of an ACL (not displayed in the configuration), so when you removed "30 permit ip any any" traffic not matching any of the rules above would be denied by the implicit deny rule.

christoffer92 · ‎11-14-2022

@Rob Ingram I see. But how come rule 30 permits traffic that should be blocked?

Rob Ingram · ‎11-14-2022

@christoffer92 on the ACL - denywww - ACE #20 denies traffic from "any" source to the destination 192.168.2.2 - but the IP address of Gi0/0 (where you've applied the ACL) is 192.168.2.1, so traffic won't match ACE #20. Therefore the ACE rule #20 is incorrect, the destination is not 192.168.2.2. Hence why it matches ACE #30

As to why the connection does not match the other ACL "ssh-in" what is the source IP address of the connection?

Enable logging and check (assuming PT supports it).

christoffer92 · ‎11-14-2022

@Rob Ingram

Thanks for response! I tried the following but still getting the same result

Extended IP access list denywww

10 permit tcp any host 192.168.2.3 eq www

20 deny tcp any host 192.168.2.1 eq 22

30 permit ip any any (45 match(es))

Extended IP access list denywww

10 permit tcp any host 192.168.2.3 eq www

20 deny tcp any any eq 22

30 permit ip any any (48 match(es))

For ACL ssh-in the source is 192.168.1.0.

How to enable logging?