cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1404
Views
0
Helpful
9
Replies

VTY Access list problems

Matt Roberts
Level 1
Level 1

I have a very simple access list. I only want to allow the network 172.16.0.0 to have ssh access to my router.

Here is the access list

Standard IP access list 23

    10 permit 172.16.0.0, wildcard bits 0.0.255.255

I then applied it to line vty 0 4 and line vty 5 15, tried to connect using putty from my laptop which has an address in the 172.16.0.0 range and I cannot connect. I remove the ACL and can connect again.

What is the problem?

9 Replies 9

John Blakley
VIP Alumni
VIP Alumni

Do you get a prompt for a certificate when you try to connect? If not, try generating your keys:

crypto key genera rsa mod 1024

Then try again. If you get a login, you'll need to have a local user account created on the router for ssh to use as well. Then go under your line and tell it to use the local database for authentication:

line vty 0 4

transport input ssh

login local

Other than that, you should be able to use the acl that you configured provided that the router "sees" the source as 172.16.0.0/16.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

When I first connected to the router without an ACL yes it prompted for a certificate but now that I have it installed it does not. I can connect fine when the ACL is not applied so I'm stumped.

It should work fine. Can you post your config? What are you using to connect to the router?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Below is the config.  I have replaced actual IP addresses with x's.

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

enable secret 4 **

!

aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authentication ppp default if-needed local group tacacs+

aaa authorization exec default local group tacacs+

aaa authorization network default local group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

!

!

!

!

!

aaa session-id common

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

!

no ip domain lookup

ip domain name springfieldmo.gov

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1020712

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1020712

revocation-check none

rsakeypair TP-self-signed-1020712

!

!

crypto pki certificate chain TP-self-signed-1020712

certificate self-signed 01

*******

      quit

license udi pid CISCO2901/K9 sn FTX164183KE

!

!

username admin privilege 15 password 7 ******

!

!

ip ssh time-out 90

ip ssh authentication-retries 2

ip ssh version 2

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address x.x.x.x 255.255.255.252

duplex full

speed 100

!

interface GigabitEthernet0/1

description outside

ip address x.x.x.x 255.255.255.224

duplex full

speed 100

!

ip forward-protocol nd

!

no ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route x

ip route x

ip route x

ip route x

ip route x

access-list 23 permit 172.16.0.0 0.0.255.255

!

no cdp run

!

snmp-server community leavinglv RO

tacacs-server host x.x.x.x

tacacs-server directed-request

tacacs-server key 7 *****

!

!

!

control-plane

!

!

banner motd ^message^C

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Are you natting the 172.16.0.0 anywhere? It looks like you have 2 public addresses on this router.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Hi

u r missing access-class under u r vty lines

access-class 23 in

Yep I'm natting 172.16.0.0 totally fogot about that so I must be putting the wrong ip's in the ACL. To access it, it goes from the inside interface of our firewall to the outside (which gets natted to outside ip range). Should I create a static nat for this so I can apply the ACL?

Yes. You're not matching any longer on the 172.x.x.x subnet, so you need to nat out a specific ip address. You can also only nat out a specific ip when using ssh if you'd rather nat out as something different when not.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

mahmoodmkl
Level 7
Level 7

Hi
yes u can create static nat entries for the ips which require nat n others can be exempted

Sent from Cisco Technical Support iPhone App