Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
468
Views
0
Helpful
2
Replies

ACL question

mocah
Level 1
Level 1

‎02-18-2006 05:58 AM

Would you please explain me why the following ACL’s do not work. I purchased block of 8 IP addresses from ISP (ADSL connection). I have received the following from ISP:” IP’s 194.252.157.248/29 all traffic is routed to IP address 194.252.157.249”

Setup (Cisco 1712):

Wan interface (Dialer): 194.252.157.249/31

Vlan 1(Local Network): 192.168.1.1/24

Vlan 2(Public IP address): 194.252.157.253/30 - 194.252.157.254 goes to Web/mail server

I am trying to limit SSH access only to IP address 194.252.157.254 and 194.252.157.249 with no success. I can only achieve SSH access if I have statement: “access-list 101 permit tcp any any eq 22 login” ACL. If I try with:

access-list 101 permit tcp any host 194.252.157.249 eq 22 log” and “access-list 101 permit tcp any host 194.252.157.254 eq 22 log” all SSH connection are disconnected.

Thank you and kind regards,

M

Labels:
Preview file
5 KB
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎02-18-2006 01:49 PM

Marko

I assume from your statement that addresses 194.252.157.249 and 194.252.157.254 are the destinations that SSH should connect to (which would allow SSH to the router dialer address and to the server). When you say that SSH sessions are disconnected if you use the specific access list entries, where were the SSH connections connected to when you tried this (what address was specified in the SSH command to make the connection)?

A good approach to troubleshooting ACL problems is to use the log parameter on the deny statements - which your access list does do. So you should be able to look in the log from the router, find the packets that were denied, and get some indicator of what did not match (what address were they using as destination)?

HTH

Rick

HTH

Rick
0 Helpful

mocah
Level 1
Level 1
In response to Richard Burts

‎02-19-2006 04:35 AM

Dear Rick,

I was trying to achieve that I would be able to connect from any public address to only those two IP addresses.

I think I did it. I have put following entries in ACL:

permit tcp any host 194.252.157.249 eq 22 (528 matches)

permit tcp any host 194.252.157.254 eq 22 (25 matches)

deny tcp any any eq 22 (24 matches)

Thank you for your help and kind regards,

Marko

0 Helpful
Customers Also Viewed These Support Documents