1

The intention here was to create a access-list that would permit any device with an IP from two different /24 subnets (lets call them 192.168.1.0 and 192.168.2.0) to SSH into the ISR while denying anyother IPs. so I created the following standard access list.

access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255

Then while connected to the 192.168.1.0 subnet I tried to SSH into the ISR via putty and get a error stating the connection was refused.

When the following lines are removed I am able to SSH into the ISR without issue. (i have already done the SSH Configuration on the ISR to use a Large RSA key and to use SSH 2.0)

line vty 0 4
 access-class 1 in
line vty 5 15
 access-class 1 in

I cannot for the life of me figure out why this simple access-list is blocking traffic when it should not? I am a bit of a novice with Cisco IOS so it probably some tiny detail I missed. Below is the current config of the vty lines and the ACLs:

!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class 1 in
 login authentication local
 transport input ssh
line vty 5 15
 access-class 1 in
 login authentication local
 transport input ssh
!
!
end
Zygodactyl
  • 11
  • 5
  • 1
    See [this question](https://networkengineering.stackexchange.com/questions/44721/telnet-or-ssh-into-a-cisco-router). – Ron Maupin Oct 06 '17 at 00:55
  • Not seeing anything new there, that guys issue was he did not configure the RSA key and did not specify the "transport input ssh" in his vty lines. I have all that specified. Only thing i can see that is different is a slight tweak to the access list in defining it as ip access-list instead of just access-list. – Zygodactyl Oct 06 '17 at 15:10
  • Don't you have to apply the access list to an interface or to a vlan? instead of the line vty? – Daniel Widrick Oct 06 '17 at 17:53
  • Not sure but all the guides I have found say to do it this way. If i were to apply it to an interface i would need to use an extended access-list to allow me to only filter port 22 or by ssh protocol. – Zygodactyl Oct 06 '17 at 21:43
  • Not to say that would not work. I may give that a try – Zygodactyl Oct 06 '17 at 21:50
  • It looks OK from the snippet we're seeing. Can you add an explicit "access-list 1 deny any log" statement to the ACL to see what's getting dropped? If nothing else this should confirm you're coming from the right subnet. – rnxrx Oct 07 '17 at 04:48
  • Have you tried `login local` instead of `login authentication local`, if you are trying to authenticate with local users? – shogo2022 Oct 07 '17 at 22:21
  • Echoing rnxrx, you should add a deny any as your last ACE entry. The logged deny might give you more clues. – Aaron D Oct 08 '17 at 12:59
  • shogo i will try that. as for the deny any entry according to cisco's documentation that is implied at the end of all ACLs. – Zygodactyl Oct 12 '17 at 14:37

1 Answers1

0

If you want to ssh to the router through MGMT interface,you must add vrf-also after the command in new version, just as following:

line vty 0 4
 access-class 1 in vrf-also
 login authentication local
 transport input ssh
line vty 5 15
 access-class 1 in vrf-also
 login authentication local
 transport input ssh
David W
  • 3,453
  • 5
  • 36
  • 62
user469519
  • 1