Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1547
Views
15
Helpful
4
Replies

Problems in getting an ACL to deny SSH to work

Go to solution
ThomasD86
Level 1
Level 1

‎05-17-2021 03:59 AM - edited ‎05-17-2021 07:25 AM

Hi,

I have got an ASR920 with a loopback address of 192.168.0.27 that we use for management. I want to regulate SSH access to limit it only to the network 192.168.17.0/24, so I created this ACL:

permit tcp 192.168.17.0 0.0.0.255  host 192.168.0.27 eq 22

 

I configured this ACL in ingress under the VTY 0-15 lines.

The computer I am using to ssh on the router has an ip that falls within the 192.168.17.0/24 network but with the ACL configured that way, I cannot connect to the device (remote host refused the connection).


I tried to remove the ACL from the VTY to confirm the ACL was the issue and I could SSH into the router just fine. I also issued the "sh users" to check what IP I was logged into the router with and it reported a 192.168.17.48 address, which falls under the allowed network.


I also tried to change the ACL to:

permit tcp any host 192.168.0.27 eq 22

 

again, I configured that on the VTY lines on the router. At this point my IP should be pretty much irrelevant and as long as I start a SSH session towards "192.168.0.27" I should be able to establish it but, the router refuses the connection.

Could anyone help me out figuring what I am doing wrong? Thanks

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Harold Ritter
Cisco Employee
Cisco Employee

‎05-17-2021 07:41 AM

Hi Thomas,

 

Try using a standard ACL instead.

 

ip access-list standard 1
permit 192.168.17.0 0.0.0.255
!

line vty 0 5
access-class 1 in

 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

4 Replies 4

Go to solution
Harold Ritter
Cisco Employee
Cisco Employee

‎05-17-2021 07:41 AM

Hi Thomas,

 

Try using a standard ACL instead.

 

ip access-list standard 1
permit 192.168.17.0 0.0.0.255
!

line vty 0 5
access-class 1 in

 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Harold Ritter

‎05-17-2021 08:07 AM

@Harold Ritter is exactly right. There is a significant (but not obvious) difference between standard access list and extended access list when applied to line vty. For an interface we apply the access list using access-group and for this the extended access list will check both the specified source and the specified destination. For vty we apply the access list using access-class and the behavior is quite different. I believe that the underlying logic is that access-class is examining traffic for which the device is the destination. It does not matter which interface address was used as the destination, just that the device was the destination. So the logic in access-class does not check the destination address - as you discovered. If you want to use an extended access list then you need to specify the destination as "any" and it really is better to use standard access list rather than extended.

HTH

Rick

Go to solution
ThomasD86
Level 1
Level 1

‎05-17-2021 09:57 PM

Hi Harold, hi Rick

Thank you very much for the suggestion and the explanation respectively. Doing as you said, allowed the ACL to work as I was expecting. Thanks again

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to ThomasD86

‎05-17-2021 10:21 PM

You are welcome. I am glad that this discussion has been helpful. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card