cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1756
Views
0
Helpful
3
Replies

SSH allow ACL

mediaworksnz
Level 1
Level 1

Hello I have this ACL on an SVI internface in the INBOUND direction.

It is still preventing me from creating an SSH connection from VLANx to VLAN 99. As soon as I remove this ACL from the interface, I can SSH from VLANx to VLAN 99.

Why would an ACL in the 'INBOUND' direction prevent communication from VLANx to VLAN99 anyway ? 

How do I need to modify it to allow SSH ? 

Thank you.

 

interface GigabitEthernet0/0.99
description WiFi
encapsulation dot1Q 99
ip address 10.99.7.1 255.255.255.0
ip access-group Restrict_wifi_mgt in************
ip helper-address 10.21.130.31
ip helper-address 10.5.1.93
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow monitor NETFLOW-TRAFFIC input
service-policy input MARKING
end

 

Extended IP access list Restrict_wifi_mgt
10 permit icmp 10.99.7.0 0.0.0.255 any (24684 matches)
15 permit ip 10.99.7.0 0.0.0.255 host 10.99.0.50 (2817 matches)
16 permit tcp 10.99.7.0 0.0.0.255 any eq 22**************
20 permit ip 10.99.7.0 0.0.0.255 host 10.99.0.10 (3446712 matches)
30 permit ip 10.99.7.0 0.0.0.255 host 10.99.130.10 (1255 matches)
40 permit ip 10.99.7.0 0.0.0.255 host 10.5.1.93 (24 matches)
50 permit ip 10.99.7.0 0.0.0.255 host 10.21.130.31
60 permit ip 10.99.7.0 0.0.0.255 host 10.5.1.34
70 deny ip 10.99.7.0 0.0.0.255 any (500368 matches)
80 permit ip any any (500 matches)

3 Replies 3

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

What is the IP on VLANx that your are trying to SSH from? Is your connection arriving via Gi0/0.99 or via another interface on router?

 

cheers,

Seb.

Hello

16 permit tcp 10.99.7.0 0.0.0.255 any eq 22

70 deny ip 10.99.7.0 0.0.0.255 any (500368 matches)

 

So its look like ace 70 is denying the communication, when you take this out does it work?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi,

It would be better to merge the two tickets you have so that it will be easier to resolve the issue and it will help others to learn from it in the future.

 

I saw that you added a new line to your ACL (16):  16 permit tcp 10.99.7.0 0.0.0.255 any eq 22  This line needs a little more modification as you are attempting to provide response from the SSH server. It needs to be modified as follows:  16 permit tcp 10.99.7.0 0.0.0.255 eq 22 any 

 

HTH,

Meheretab

 

HTH,
Meheretab
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: