When I first connected to the router without an ACL yes it prompted for a certificate but now that I have it installed it does not. I can connect fine when the ACL is not applied so I'm stumped.

It should work fine. Can you post your config? What are you using to connect to the router?

HTH,
John

*** Please rate all useful posts ***

Below is the config.  I have replaced actual IP addresses with x's.

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

enable secret 4 **

!

aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authentication ppp default if-needed local group tacacs+

aaa authorization exec default local group tacacs+

aaa authorization network default local group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

!

!

!

!

!

aaa session-id common

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

!

no ip domain lookup

ip domain name springfieldmo.gov

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1020712

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1020712

revocation-check none

rsakeypair TP-self-signed-1020712

!

!

crypto pki certificate chain TP-self-signed-1020712

certificate self-signed 01

*******

      quit

license udi pid CISCO2901/K9 sn FTX164183KE

!

!

username admin privilege 15 password 7 ******

!

!

ip ssh time-out 90

ip ssh authentication-retries 2

ip ssh version 2

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address x.x.x.x 255.255.255.252

duplex full

speed 100

!

interface GigabitEthernet0/1

description outside

ip address x.x.x.x 255.255.255.224

duplex full

speed 100

!

ip forward-protocol nd

!

no ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route x

ip route x

ip route x

ip route x

ip route x

access-list 23 permit 172.16.0.0 0.0.255.255

!

no cdp run

!

snmp-server community leavinglv RO

tacacs-server host x.x.x.x

tacacs-server directed-request

tacacs-server key 7 *****

!

!

!

control-plane

!

!

banner motd ^message^C

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Are you natting the 172.16.0.0 anywhere? It looks like you have 2 public addresses on this router.

HTH,
John

*** Please rate all useful posts ***

Hi

u r missing access-class under u r vty lines

access-class 23 in

Yep I'm natting 172.16.0.0 totally fogot about that so I must be putting the wrong ip's in the ACL. To access it, it goes from the inside interface of our firewall to the outside (which gets natted to outside ip range). Should I create a static nat for this so I can apply the ACL?

Yes. You're not matching any longer on the 172.x.x.x subnet, so you need to nat out a specific ip address. You can also only nat out a specific ip when using ssh if you'd rather nat out as something different when not.

HTH,
John

*** Please rate all useful posts ***