08-29-2012 09:55 AM - edited 02-21-2020 04:43 AM
Hi everyone,
I have a problem with access-class applied in vty in a SW 3750 with IOS 12.2(58)SE2.
I have this configuration:
Standard IP access list ACL_MGMT_VTY
10 permit x.x.x.x, wildcard bits 0.0.0.255
!
line vty 0 4
access-class ACL_MGMT_VTY in
privilege level 15
logging synchronous
transport input ssh
!
When I connected to this switch, and try to make a ssh connection with a ip address different to x.x.x.x says this message:
% Connections to that host not permitted from this terminal
If I remove this access-class, or try to establish a telnet, works perfect.
Any suggestions? Ideas?
Possible IOS bug?
08-30-2012 06:17 AM
Since you only permit x.x.x.x to SSH to the switch, only that IP Address is allowed to SSH the switch. If you try to connect using any other ip address, then it will not allow it since you have restricted it to that particular IP.
If you want the whole subnet to access the switch, then the access-class should say:
permit x.x.x.0 0.0.0.255
instead of:
permit x.x.x.x 0.0.0.255
08-30-2012 09:46 AM
Hi Jennifer,
The problem is not with ssh incoming sessions, it's when I try to establish a ssh from the switch to any device in the network.
Regards,
08-30-2012 10:01 PM
Have you tried to configure "access-class
08-31-2012 08:12 AM
Hi Jennifer,
No I don't,
that's the problem, I do not want to limit outbound SSH traffic.
08-31-2012 08:14 AM
If you configure "permit any" and apply it to the access-class "out", does it work?
Sounds like a bug if it does work.
09-18-2012 12:24 AM
Hi,
we encountered the same issue on a 2960S Switch. The strange thing ist, we also have 3750 switches and there it works. We are running the same firmware version as you on both models: 12.2(58)SE2.
Summary:
We have no outgoing access-class defined. On the vty lines. Only incoming for limiting SSH acces.
From the 2960S switch we tried:
copy running-config scp://user@host/file
It is denied and the deny counter of the INCOMING ACL goes up by 1.
Tried to configure another ACL for outgoing connections. No difference, the outgoing connection is blocked by the incoming ACC!
When removing the incoming ACC, it works.
Then we have another 2960S switch with an older firmware version . This one works without problems, with the same configuration.
12.2(55)SE3
Looks like a bug.
04-26-2013 02:35 AM
Same here with a 2960 release 15.0(2)SE2. Will it be solved or is that considered normal?
11-25-2013 10:45 PM
hi
i don't know ios bug or not it
i have same ios version 12.2(58)se2 on 3750
and when apply acl on line vty I can't login by ssh on device.
when I remove acl - | can
We have vrf on 3750
I find this solution (it helps me):
R1(config-line)#access-class 1 in vrf-also
If it is truly our desire to allow VTY sessions from traffic arriving in a VRF instance, we can modify the behavior of the access-class. This is done using the “vrf-also” option.
11-27-2013 02:54 AM
I found bug
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: