0

I'm puzzled because I can ssh into this router from 192.168.1.10, but not from 192.168.30.3 (as per acl 6). No interface mentions any of these access lists so am I correct in assuming these are global access lists, applied to all interfaces?

If so, in what order?

Are there several deny in the list that render certain rules useless or one single deny any any at the very end?

if I make a an access-list 3 permit any , will that allow me to ssh into this router from anywhere within the 192.168.0.0 network?

What would happen if I specified a specific ACL for one of the interfaces? would the remaining rules still apply?

Here is the sanitized output of show access-list:

Standard IP access list 5

10 permit 144.1.1.1 (10000 matches)

20 permit 155.1.1.1 (10000 matches)

40 deny   any (100000 matches)

Standard IP access list 6

10 permit 192.168.0.0, wildcard bits 0.0.255.255 (100000 matches)

20 deny   any (10 matches)

Standard IP access list 7

10 permit 192.168.1.0, wildcard bits 0.0.0.255

Extended IP access list 122

10 permit ip host 5.5.5.5 any

20 permit ip host 6.6.6.6 any

70 deny ip any any log (1000 matches)

Extended IP access list snooplion1_acl

10 permit ip 4.2.1.0 0.0.0.7 10.1.1.0 0.0.0.255 log (1000 matches)

20 permit ip 4.2.1.0 0.0.0.7 10.1.2.0 0.0.0.255 log

Extended IP access list snooplion2_acl

10 permit ip host 4.2.1.2 host 4.4.1.1 log (100000 matches)

20 permit ip host 4.2.1.3 host 4.4.1.1 log (100000 matches)

Extended IP access list snooplion3_acl

10 permit ip 4.2.1.0 0.0.0.7 host 4.4.4.4 log (100000 matches)

Extended IP access list snooplion4_acl

10 permit ip 4.2.1.0 0.0.0.7 192.168.2.0 0.0.0.255 log (100000 matches)

20 permit ip 4.2.1.0 0.0.0.7 192.168.3.0 0.0.0.255 log (100000 matches)

Extended IP access list snooplion5_acl

10 permit ip 4.2.1.0 0.0.0.7 4.3.3.80 0.0.0.15 log

Extended IP access list snooplion6_acl

10 permit ip 4.2.1.0 0.0.0.7 4.3.3.80 0.0.0.15 log (10 matches)
gozu
  • 313
  • 2
  • 6
  • 14

1 Answers1

2

If no interface (or vty) mentions these ACL's then they are not applied. There's no such thing as a globally applied ACL in IOS - particularly given that an ACL can mean very different things in different contexts (i.e. route-maps, QoS and packet filtering can all use the same structure).

rnxrx
  • 8,143
  • 3
  • 22
  • 31
  • The named ACLs are used in crypto maps, so I'm guessing they are used for VPN connections. The 122 extended ACL is used for vty (terminal connections) But the standard ACLs (5,6 and 7) are not used on any interface, yet, they still have matches and those matches are increasing regularly(except ACL 7, that one doesn't have any matches). How come? – gozu Aug 09 '12 at 16:00
  • If the counters on the ACL are increasing then it's applied somewhere. BTW - whatever is in 122 (the vty) is likely driving your ssh reachability. – rnxrx Aug 09 '12 at 19:00
  • They were used in access groups for ntp servers at the very bottom. that's why I didn't spot them.. Doh! Thanks for your help! – gozu Aug 09 '12 at 21:21
  • I've noticed that people who come from the security appliance side of Cisco-ASA, PIX, etc.-usually get confused by the fact that there's no global ACL on a switch/router. – Alo Aug 23 '12 at 21:44