Re: access-class on vty not working for 1 of 2 subnets

DurzoBlint · ‎08-01-2024

Hello all,

I have 5 switches in my LAN, one of which feeds our OoB management LAN to the management port of the other switches. All are C3850-24SX switches.

I'm having an issue with one of them. We have a requirement to set an "access-class MGNT in" on our line vty 0 1.

That access list is required to be extended, so that the ending deny all can be set to log input.

My access-list looks like this.

ip access-list extended MGNT
10 permit ip 10.10.10.0 0.0.0.255 any
11 permit ip 11.11.11.0 0.0.0.255 any
20 deny ip any any log-input

I have a windows server that is dual homed (2 NIC's one IP'd to each subnet).
If I try to SSH to the switch over it's 11.11.11.x IP, it goes through. but if I try to SSH to the 10.10.10.x IP, I get an error that the connection was rejected.

I know that my problem is with my access list, because if I remove the "access-class MGMT in" command from our line vty 0 1, I can now SSH over either IP.

I've tried removing line 11 so that ONLY line 10 was the one in there, and that results in not being able to SSH over any IP. As soon as I put line 11 back, I can only SSH over that 11.11.11.x ip again.
I've tried re-ordering them so that the 10.10.10.x rule is now line 12 instead of line 10. But that didn't do anything.

I'm really at a loss here, because everything I've read tells me this should work. And it appears to be working on our other switches. This was set up by a previous Network Admin that is no longer here, but he didn't do it right anyway. Half of our switches are extended ACL's and half are standard ACL's. So I still have to go around and replace the standard ones. But we do have other switches with the exact same configuration that are working fine.

Any ideas?

MHM Cisco World · ‎08-01-2024

Share

Show lines

When you failed to access using 10.10.10.0

MHM

balaji.bandi · ‎08-01-2024

how is your Host routing ?

can you do route pritnt (i am thinking there may be asymetric routing ?) how about try below establish statement - is that works ?

ip access-list extended MGNT
 permit tcp any any eq 22 
 deny tcp any any log
!
line vty 0 4
 access-class MGNT in

Also you do not need below one in case required to test

13 permit tcp any eq ssh any established

Also check the logs on the switch what is the logs shows ?

connection was rejected. - or refused (show logging will some direction ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

DurzoBlint · ‎08-01-2024

Adding your permit line didn't work.
I tried removing my ending deny rule, that didn't work.
I tried adding permit ip any any before the deny rule, that didn't work.
After all attempts, the on-screen PUTTY error says "refused".
When I do a "show logging", I see no refused/failed messages. The last message is the successful login.

The only thing that does work is still to remove the access-class line completely from vty. Then when I log in to either the 10.10.10.x or the 11.11.11.x IP, I see successful login messages in show logging.

Also, I don't know what you mean about the permit line "ssh any established". I don't currently have that line in. Are you suggested I try adding that as well?

balaji.bandi · ‎08-02-2024

can you do route pritnt (from windows where you have dual connected)

Leave the ACL as orginal, try disable each interface on Windows and Test it ( start with ping and then SSH and see if that works ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help