Issues with ACL

TRACY HARTMANN · ‎01-04-2024

I have been trying to limit SSH on a router and my ACL doesn't seem to be working

ip access-list extended 107
10 permit ip host 10.20.0.20 host 3.3.3.3 log
15 permit ip host 10.20.0.20 host 4.4.4.4 log
20 permit tcp host 10.20.0.20 host 4.4.4.4 eq 22
25 permit tcp 10.20.0.0 0.0.255.255 eq 22 any
200 deny tcp any any eq 3128
210 deny udp any any eq 3128
220 deny tcp any any eq 22
230 deny tcp any any eq telnet
240 permit ip any any

Access-list 107 In (is the the statement on the interface) The ACL really doesn't do anything

What I am looking is to allow 10.20.0.20 to SSH and then I tried just the entire network. Still not limiting.

What am I missing?

als95 · ‎01-04-2024

If you are willing to limit ssh access to a router you need either apply ALC on the `line vty` if your router is running IOSXE (i.e. ISR) or under `control-plane -> management-plane` if your router is running IOSXR ( i.e. NCS).

David Ruess · ‎01-04-2024

Hello,

We need a bit more information.

Is the traffic flowing through the interface you are denying SSH through. If you have multiple connections it may be using one of those bypassing your ACL. Can you give us a topology?

Secondly, you could try adding log statements to all your entries to see which entry in the ACL your other network traffic is hitting. Your ACE line 25 has a source port of 22 and not a destination port of 22. Is this intentional?

-David

TRACY HARTMANN · ‎01-04-2024

The interface I am applying this to is the WAN port. I don't want the outside network being able to ssh only the inside which is why I am trying to limit it. With line 25 I just was trying to say if the source is that IP and trying SSH leave it in. If I need to specify the destination port I can do that.

E1 to Lan switch

E2 Wan to public network

I am trying to apply the ACL to E2 so limit anything coming from the outside doing SSH to be denied.

David Ruess · ‎01-04-2024

Can you supply the configuration of the device?

Also try adding the log keyword to all entries and SSH from an IP you DONT want to have access. It will show you what entry its hitting and you can modify from there as needed.

TRACY HARTMANN · ‎01-04-2024

I don't want any public address to be able to SSH to my device only private.

There isn't much to the config but one interface to the Lan, one interface to the WAN and the access list applied to Wan as ip access-group 107 in

David Ruess · ‎01-04-2024

Assuming you are trying to SSH from a device from the WAN towards E2 and its letting it through? What IP address are you using to SSH with? You mention you only want the IP of 10.20.0.20 to be able to SSH correct?

TRACY HARTMANN · ‎01-04-2024

I can connect from inside my network to the IP address on the E2. When I did a show users I came from a 10.20.0.20 address. I can also come from outside the network and connect to the E2 (Public address). I need to deny that traffic, but still be able to get to the E2 address from my inside network.

David Ruess · ‎01-04-2024

According to your original message your ACL "looks" good. Specifically the line highlighted

ip access-list extended 107
10 permit ip host 10.20.0.20 host 3.3.3.3 log
15 permit ip host 10.20.0.20 host 4.4.4.4 log
20 permit tcp host 10.20.0.20 host 4.4.4.4 eq 22
25 permit tcp 10.20.0.0 0.0.255.255 eq 22 any
200 deny tcp any any eq 3128
210 deny udp any any eq 3128
220 deny tcp any any eq 22
230 deny tcp any any eq telnet
240 permit ip any any

This should be blocking all SSH connections from any IP. But as you point out that's now what's happening. Inside traffic will not be affected by this ACL so the connection from inside the network should work as expected.

You can try re-creating the ACL line by line and trying to SSH from the outside after every entry to see where its allowing it though or you can attach the "log" keyword as I mentioned to all lines in the ACL to see which counter increments when you try to SSH from the outside.

-David

MHM Cisco World · ‎01-04-2024

can I know
is there dual ISP in your router ?
the only reason make SSH not work is the traffic pass into device through different interface than one you apply ACL under it

MHM

bo chen · ‎01-04-2024

You must use this acl in VTY.

line vty 0 15

access-class 107 in

paul driver · ‎01-06-2024

Hello Tracy
can you elaborate a little on the rtr model you wish to deny ssh to -
Is your “wan” public internet facing or a l3vpn attached to a large network estate?
Are you performing any NAT?
The reason i ask is the acl you show allows a non routable subnet for ssh but you are attaching it to the wan interface

I believe it’s already been stated that a vty acl or even a control-plane policy would be applicable
Other alternatives would depend your current network setup - cbac -zbfw etc..but a basic line vty acl should work.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎01-06-2024

I agree that trying to achieve the control using acl applied to interface with access-group is quite challenging and that using acl applied with access-class to the vty is a much more effective approach.

HTH

Rick