01-28-2013 07:22 AM - edited 03-07-2019 11:21 AM
I have a very simple access list. I only want to allow the network 172.16.0.0 to have ssh access to my router.
Here is the access list
Standard IP access list 23
10 permit 172.16.0.0, wildcard bits 0.0.255.255
I then applied it to line vty 0 4 and line vty 5 15, tried to connect using putty from my laptop which has an address in the 172.16.0.0 range and I cannot connect. I remove the ACL and can connect again.
What is the problem?
01-28-2013 07:26 AM
Do you get a prompt for a certificate when you try to connect? If not, try generating your keys:
crypto key genera rsa mod 1024
Then try again. If you get a login, you'll need to have a local user account created on the router for ssh to use as well. Then go under your line and tell it to use the local database for authentication:
line vty 0 4
transport input ssh
login local
Other than that, you should be able to use the acl that you configured provided that the router "sees" the source as 172.16.0.0/16.
HTH,
John
*** Please rate all useful posts ***
01-28-2013 07:31 AM
When I first connected to the router without an ACL yes it prompted for a certificate but now that I have it installed it does not. I can connect fine when the ACL is not applied so I'm stumped.
01-28-2013 08:41 AM
It should work fine. Can you post your config? What are you using to connect to the router?
HTH,
John
*** Please rate all useful posts ***
01-28-2013 08:56 AM
Below is the config. I have replaced actual IP addresses with x's.
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 **
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication ppp default if-needed local group tacacs+
aaa authorization exec default local group tacacs+
aaa authorization network default local group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
!
!
!
!
!
aaa session-id common
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
no ip domain lookup
ip domain name springfieldmo.gov
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1020712
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1020712
revocation-check none
rsakeypair TP-self-signed-1020712
!
!
crypto pki certificate chain TP-self-signed-1020712
certificate self-signed 01
*******
quit
license udi pid CISCO2901/K9 sn FTX164183KE
!
!
username admin privilege 15 password 7 ******
!
!
ip ssh time-out 90
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address x.x.x.x 255.255.255.252
duplex full
speed 100
!
interface GigabitEthernet0/1
description outside
ip address x.x.x.x 255.255.255.224
duplex full
speed 100
!
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route x
ip route x
ip route x
ip route x
ip route x
access-list 23 permit 172.16.0.0 0.0.255.255
!
no cdp run
!
snmp-server community leavinglv RO
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key 7 *****
!
!
!
control-plane
!
!
banner motd ^message^C
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end
01-28-2013 09:04 AM
Are you natting the 172.16.0.0 anywhere? It looks like you have 2 public addresses on this router.
HTH,
John
*** Please rate all useful posts ***
01-28-2013 10:56 AM
Hi
u r missing access-class under u r vty lines
access-class 23 in
01-29-2013 05:59 AM
Yep I'm natting 172.16.0.0 totally fogot about that so I must be putting the wrong ip's in the ACL. To access it, it goes from the inside interface of our firewall to the outside (which gets natted to outside ip range). Should I create a static nat for this so I can apply the ACL?
01-29-2013 07:48 AM
Yes. You're not matching any longer on the 172.x.x.x subnet, so you need to nat out a specific ip address. You can also only nat out a specific ip when using ssh if you'd rather nat out as something different when not.
HTH,
John
*** Please rate all useful posts ***
01-29-2013 06:43 AM
Hi
yes u can create static nat entries for the ips which require nat n others can be exempted
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide