cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
164
Views
0
Helpful
3
Replies
Beginner

SSH allow ACL

Hello I have this ACL on an SVI internface in the INBOUND direction.

It is still preventing me from creating an SSH connection from VLANx to VLAN 99. As soon as I remove this ACL from the interface, I can SSH from VLANx to VLAN 99.

Why would an ACL in the 'INBOUND' direction prevent communication from VLANx to VLAN99 anyway ? 

How do I need to modify it to allow SSH ? 

Thank you.

 

interface GigabitEthernet0/0.99
description WiFi
encapsulation dot1Q 99
ip address 10.99.7.1 255.255.255.0
ip access-group Restrict_wifi_mgt in************
ip helper-address 10.21.130.31
ip helper-address 10.5.1.93
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow monitor NETFLOW-TRAFFIC input
service-policy input MARKING
end

 

Extended IP access list Restrict_wifi_mgt
10 permit icmp 10.99.7.0 0.0.0.255 any (24684 matches)
15 permit ip 10.99.7.0 0.0.0.255 host 10.99.0.50 (2817 matches)
16 permit tcp 10.99.7.0 0.0.0.255 any eq 22**************
20 permit ip 10.99.7.0 0.0.0.255 host 10.99.0.10 (3446712 matches)
30 permit ip 10.99.7.0 0.0.0.255 host 10.99.130.10 (1255 matches)
40 permit ip 10.99.7.0 0.0.0.255 host 10.5.1.93 (24 matches)
50 permit ip 10.99.7.0 0.0.0.255 host 10.21.130.31
60 permit ip 10.99.7.0 0.0.0.255 host 10.5.1.34
70 deny ip 10.99.7.0 0.0.0.255 any (500368 matches)
80 permit ip any any (500 matches)

3 REPLIES 3
VIP Advisor

Re: SSH allow ACL

Hi there,

What is the IP on VLANx that your are trying to SSH from? Is your connection arriving via Gi0/0.99 or via another interface on router?

 

cheers,

Seb.

VIP Advisor

Re: SSH allow ACL

Hello

16 permit tcp 10.99.7.0 0.0.0.255 any eq 22

70 deny ip 10.99.7.0 0.0.0.255 any (500368 matches)

 

So its look like ace 70 is denying the communication, when you take this out does it work?



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

Re: SSH allow ACL

Hi,

It would be better to merge the two tickets you have so that it will be easier to resolve the issue and it will help others to learn from it in the future.

 

I saw that you added a new line to your ACL (16):  16 permit tcp 10.99.7.0 0.0.0.255 any eq 22  This line needs a little more modification as you are attempting to provide response from the SSH server. It needs to be modified as follows:  16 permit tcp 10.99.7.0 0.0.0.255 eq 22 any 

 

HTH,

Meheretab

 

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards