I have a problem with access-class applied in vty in a SW 3750 with IOS 12.2(58)SE2.
I have this configuration:
Standard IP access list ACL_MGMT_VTY
10 permit x.x.x.x, wildcard bits 0.0.0.255
line vty 0 4
access-class ACL_MGMT_VTY in
privilege level 15
transport input ssh
When I connected to this switch, and try to make a ssh connection with a ip address different to x.x.x.x says this message:
% Connections to that host not permitted from this terminal
If I remove this access-class, or try to establish a telnet, works perfect.
Any suggestions? Ideas?
Possible IOS bug?
Since you only permit x.x.x.x to SSH to the switch, only that IP Address is allowed to SSH the switch. If you try to connect using any other ip address, then it will not allow it since you have restricted it to that particular IP.
If you want the whole subnet to access the switch, then the access-class should say:
permit x.x.x.0 0.0.0.255
permit x.x.x.x 0.0.0.255
The problem is not with ssh incoming sessions, it's when I try to establish a ssh from the switch to any device in the network.
we encountered the same issue on a 2960S Switch. The strange thing ist, we also have 3750 switches and there it works. We are running the same firmware version as you on both models: 12.2(58)SE2.
We have no outgoing access-class defined. On the vty lines. Only incoming for limiting SSH acces.
From the 2960S switch we tried:
copy running-config scp://user@host/file
It is denied and the deny counter of the INCOMING ACL goes up by 1.
Tried to configure another ACL for outgoing connections. No difference, the outgoing connection is blocked by the incoming ACC!
When removing the incoming ACC, it works.
Then we have another 2960S switch with an older firmware version . This one works without problems, with the same configuration.
Looks like a bug.
i don't know ios bug or not it
i have same ios version 12.2(58)se2 on 3750
and when apply acl on line vty I can't login by ssh on device.
when I remove acl - | can
We have vrf on 3750
I find this solution (it helps me):
R1(config-line)#access-class 1 in vrf-also
If it is truly our desire to allow VTY sessions from traffic arriving in a VRF instance, we can modify the behavior of the access-class. This is done using the “vrf-also” option.