09-12-2019 10:31 PM
Hello I have this ACL on an SVI internface in the INBOUND direction.
It is still preventing me from creating an SSH connection from VLANx to VLAN 99. As soon as I remove this ACL from the interface, I can SSH from VLANx to VLAN 99.
Why would an ACL in the 'INBOUND' direction prevent communication from VLANx to VLAN99 anyway ?
How do I need to modify it to allow SSH ?
Thank you.
interface GigabitEthernet0/0.99
description WiFi
encapsulation dot1Q 99
ip address 10.99.7.1 255.255.255.0
ip access-group Restrict_wifi_mgt in************
ip helper-address 10.21.130.31
ip helper-address 10.5.1.93
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow monitor NETFLOW-TRAFFIC input
service-policy input MARKING
end
Extended IP access list Restrict_wifi_mgt
10 permit icmp 10.99.7.0 0.0.0.255 any (24684 matches)
15 permit ip 10.99.7.0 0.0.0.255 host 10.99.0.50 (2817 matches)
16 permit tcp 10.99.7.0 0.0.0.255 any eq 22**************
20 permit ip 10.99.7.0 0.0.0.255 host 10.99.0.10 (3446712 matches)
30 permit ip 10.99.7.0 0.0.0.255 host 10.99.130.10 (1255 matches)
40 permit ip 10.99.7.0 0.0.0.255 host 10.5.1.93 (24 matches)
50 permit ip 10.99.7.0 0.0.0.255 host 10.21.130.31
60 permit ip 10.99.7.0 0.0.0.255 host 10.5.1.34
70 deny ip 10.99.7.0 0.0.0.255 any (500368 matches)
80 permit ip any any (500 matches)
09-12-2019 11:54 PM
Hi there,
What is the IP on VLANx that your are trying to SSH from? Is your connection arriving via Gi0/0.99 or via another interface on router?
cheers,
Seb.
09-13-2019 03:08 AM - edited 09-13-2019 03:12 AM
Hello
16 permit tcp 10.99.7.0 0.0.0.255 any eq 22
70 deny ip 10.99.7.0 0.0.0.255 any (500368 matches)
So its look like ace 70 is denying the communication, when you take this out does it work?
09-13-2019 12:41 PM
Hi,
It would be better to merge the two tickets you have so that it will be easier to resolve the issue and it will help others to learn from it in the future.
I saw that you added a new line to your ACL (16): 16 permit tcp 10.99.7.0 0.0.0.255 any eq 22 This line needs a little more modification as you are attempting to provide response from the SSH server. It needs to be modified as follows: 16 permit tcp 10.99.7.0 0.0.0.255 eq 22 any
HTH,
Meheretab
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide