Solved: Re: Extended ACL - Quick one

mattipler · ‎01-16-2018

I feel like i'm going mad here. I'm trying to create an ACL to place on VTY interfaces but my permit tcp 172.16.0.0 0.240.255.255 any eq 22 command is getting changed to permit tcp 172.0.0.0 0.240.255.255 any eq 22 once committed! It's changing the .16 to a .0!

See below...

YSSAPLCSSWI001#conf t
Enter configuration commands, one per line. End with CNTL/Z.
YSSAPLCSSWI001(config)#ip access-list extended SSH_ACCESS
YSSAPLCSSWI001(config-ext-nacl)#$addresses permitted to SSH on to the device
YSSAPLCSSWI001(config-ext-nacl)# remark #Allow established
YSSAPLCSSWI001(config-ext-nacl)# permit tcp any any established
YSSAPLCSSWI001(config-ext-nacl)#remark #RFC1918 Addresses
YSSAPLCSSWI001(config-ext-nacl)#permit tcp 10.0.0.0 0.255.255.255 any eq 22
YSSAPLCSSWI001(config-ext-nacl)#permit tcp 172.16.0.0 0.240.255.255 any eq 22
YSSAPLCSSWI001(config-ext-nacl)# permit tcp 192.168.0.0 0.0.255.255 any eq 22
YSSAPLCSSWI001(config-ext-nacl)# remark #Log any denies
YSSAPLCSSWI001(config-ext-nacl)# deny ip any any log
YSSAPLCSSWI001(config-ext-nacl)#ex
YSSAPLCSSWI001(config)#do show ip access-list SSH_ACCESS
Extended IP access list SSH_ACCESS
10 permit tcp any any established
20 permit tcp 10.0.0.0 0.255.255.255 any eq 22
30 permit tcp 172.0.0.0 0.240.255.255 any eq 22
40 permit tcp 192.168.0.0 0.0.255.255 any eq 22
50 deny ip any any log

This is preventing SSH connections from our 172 network spaces. As the ACL is rejecting them. Am I missing something obvious?

Jon Marshall · ‎01-16-2018

permit tcp 172.16.0.0 0.15.255.255

Jon

View solution in original post

Jon Marshall · ‎01-16-2018

permit tcp 172.16.0.0 0.15.255.255

Jon

mattipler · ‎01-16-2018

School boy error. Thank you! :)

@Jon Marshall wrote:

permit tcp 172.16.0.0 0.15.255.255

Jon