Solved: Why is this extended ACL not working?

erasedhammer · ‎09-11-2020

!
interface Vlan105
description MNGMNT-ACCESS
ip address 172.20.5.3 255.255.255.248
ip access-group 100 in
!
no ip http server
no ip http secure-server
!
!
access-list 100 permit icmp host 172.20.5.2 host 172.20.5.3
access-list 100 permit tcp host 172.20.5.2 host 172.20.5.3 eq 22
access-list 100 permit udp host 172.20.5.2 host 172.20.5.3 eq snmp
no cdp run
!
!
!
!
no vstack
!
line con 0
privilege level 0
line vty 0 4
access-class 100 in
exec-timeout 0 0
privilege level 0
transport input ssh
line vty 5 15
no exec
transport input none
!

I cant ping the switch.

I cant ssh to the switch.

I cant do snmp gets against the switch.

The ACL was working when it was only the ssh rule, but as soon as I added the others it stopped working.

Richard Burts · ‎09-13-2020

Access lists when used for access-class on vty work much better as standard access lists and are quite tricky when extended access lists. If you want to use an extended access list for access-class then the destination needs to be specified as 0.0.0.0.

If you configured a standard access list which permits that host address and use it in access-class it should work fine.

HTH

Rick

View solution in original post

Georg Pauwen · ‎09-12-2020

Hello,

I tested your access list, the syntax is fine. I would remove the entire access list, also from the interface, reboot the router, and reenter everything.

erasedhammer · ‎09-12-2020

I did a pcap this morning and it is now responding to snmp and icmp, but ssh is still connection refused.

Is there any way I could have jailed my IP from accessing ssh?

aaa local authentication attempts max-fail 5

ip ssh time-out 90
ip ssh version 2

erasedhammer · ‎09-12-2020

I've tried regenerating rsa keys, changing system clock, removing exec-timeout, increase max-auth retires to 5, increase auth timeout to 120 seconds, transport input all. Still connection refused every time.

paul driver · ‎09-12-2020

Hello

line vty 0 4
access-class 100 in
exec-timeout 0 10
privilege level 15

change above and test again

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

erasedhammer · ‎09-13-2020

I added the exec-timeout and priv level and still connection reset. Seems to reset a bit faster now I guess.

Georg Pauwen · ‎09-13-2020

Hello,

turn on access list debugging and post the output:

Router#debug ip packet 100

erasedhammer · ‎09-13-2020

Sep 13 18:43:58.108: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 84, input feature, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:58.108: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 84, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:58.108: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 84, rcvd 1
Sep 13 18:43:58.393: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 92, input feature, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:58.393: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 92, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:58.393: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 92, rcvd 1
Sep 13 18:43:58.393: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 1260, input feature, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:58.393: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 1260, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:58.393: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 1260, rcvd 1
Sep 13 18:43:58.410: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 92, input feature, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:58.410: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 92, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:58.410: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 92, rcvd 1
Sep 13 18:43:58.410: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 92, input feature, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:58.410: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 92, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:58.410: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 92, rcvd 1
Sep 13 18:43:58.410: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 92, input feature, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:58.410: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 92, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:58.410: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 92, rcvd 1
Sep 13 18:43:58.443: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 1262, input feature, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:58.443: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 1262, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:58.443: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 1262, rcvd 1
Sep 13 18:43:58.443: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 1271, input feature, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:58.443: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 1271, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:58.443: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 1271, rcvd 1
Sep 13 18:43:58.443: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 628, input feature, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:58.443: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 628, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:58.443: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 628, rcvd 1
Sep 13 18:43:59.207: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 84, input feature, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:59.207: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 84, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:43:59.207: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 84, rcvd 1
Sep 13 18:44:00.113: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 84, input feature, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:44:00.113: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 84, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:44:00.113: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 84, rcvd 1
Sep 13 18:44:01.144: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 48, input feature, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:44:01.144: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 48, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:44:01.144: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 48, rcvd 1
Sep 13 18:44:01.656: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 48, input feature, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:44:01.656: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 48, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:44:01.656: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 48, rcvd 1
Sep 13 18:44:02.168: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 48, input feature, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:44:02.168: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 48, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:44:02.168: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 48, rcvd 1
Sep 13 18:44:02.679: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 48, input feature, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:44:02.679: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 48, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:44:02.679: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 48, rcvd 1
Sep 13 18:44:03.183: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 48, input feature, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:44:03.183: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 48, input feature, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Sep 13 18:44:03.183: IP: s=172.20.5.2 (Vlan105), d=172.20.5.3, len 48, rcvd 1

Richard Burts · ‎09-13-2020

Access lists when used for access-class on vty work much better as standard access lists and are quite tricky when extended access lists. If you want to use an extended access list for access-class then the destination needs to be specified as 0.0.0.0.

If you configured a standard access list which permits that host address and use it in access-class it should work fine.

HTH

Rick

erasedhammer · ‎09-13-2020

I'll give that a try. The source IP for me is actually a NAT IP, which is why I wanted to specify specific ports.

erasedhammer · ‎09-13-2020

ip ssh authentication-retries 5
ip ssh version 2
!

!
interface Vlan105
description MNGMNT-ACCESS
ip address 172.20.5.3 255.255.255.248
ip access-group 10 in
!
no ip http server
no ip http secure-server
!
!
logging host 172.20.25.3
access-list 10 permit 172.20.5.2 log
no cdp run
!
!
!
!
no vstack
!
line con 0
privilege level 0
line vty 0 4
access-class 10 in
exec-timeout 0 10
privilege level 15
transport input ssh

Sep 13 19:33:39.184: %SSH-3-NO_MATCH: No matching cipher found: client chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,$
Sep 13 19:34:35.774: %SEC-6-IPACCESSLOGS: list 10 permitted 172.20.5.2 189 packets
lan-sw#
lan-sw#
Sep 13 19:40:35.779: %SEC-6-IPACCESSLOGS: list 10 permitted 172.20.5.2 824 packets
Sep 13 19:44:38.176: %SSH-3-NO_MATCH: No matching cipher found: client chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,$
Sep 13 19:46:35.776: %SEC-6-IPACCESSLOGS: list 10 permitted 172.20.5.2 346 packets

On the client side I get this error:

Unable to negotiate with 172.20.5.3 port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

I tried ssh'ing and it worked, but then the exec timeout kicked in and kicked me off. I tried to reconnect but then said no matching ciphers found. Then I tried ssh'ing again and it just times out.

Then after waiting for a little bit, I can ssh fine, exec timeout, then no matching cipher, then connection time out.

Is there some sort of brute force protection built in thats killing multiple connections?

I'm going to change the exec-timeout to 5 minutes and see if I can reliably connect.

erasedhammer · ‎09-13-2020

Standard access-list works. SSH just gives no matching cipher found...

Richard Burts · ‎09-13-2020

Thanks for confirming that standard acl does work. Looking at the acl it has statements for icmp, telnet, and snmp. If you apply the acl to an interface using access-group these would make sense. But applying it to vty using access-class only the telnet statement makes sense.

HTH

Rick

Richard Burts · ‎09-13-2020

I am glad that my suggestion pointed you to the solution. It is a subtle thing about access lists and not many sources point this out. But access-class on vty has significantly different logic from access-group on an interface. And access-class works more more intuitively with standard access list and not what you would expect with extended access list. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick