ACL problem on 1841

Unanswered Question
Sep 8th, 2009

I am having a problem with and ACL blocking SSH from the outside interface. I do not want users to SSH my router from the outside at all. Here is my ACL and the way it is applied to the interface that faces the internet.

ip access-list extended OUTSIDE_IN

permit udp any any eq isakmp

permit esp any any

permit gre any any

deny ip any any log

interface FastEthernet0/0

description *****WAN_CONNECTION*****

ip address x.x.x.x 255.255.255.x

ip access-group OUTSIDE_IN in

ip nat outside

ip inspect FW_OUT out

ip virtual-reassembly

duplex auto

speed auto

I have a explicit deny all and it still allows SSH sessions from the outside. This seems to be so simple and I have did this on a test router and it works, just not on my production router. Any idea's?

Attached is the entire config.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kureli Sankar Tue, 09/08/2009 - 08:47

If you do not want anyone to ssh to the router then you can remove this line

line vty 0 4

transport input ssh -----> remove

transport output ssh

Or you can do an acl like this one below

conf t

access-list 10 permit

line vty 0 4

access-class 10 in

This will only allow ip addresses in the subnet to be able to ssh to the router.

Collin Clark Tue, 09/08/2009 - 10:51

If you remove transport input ssh, no one can SSH into the router. The second option is correct. Create an ACL that allows the IP's that you want to be able to connect to the router.

access-list 50 permit

Then apply the ACL to the VTY lines.

line vty 0 4

access-class 50 in

Joshua Engels Tue, 09/08/2009 - 12:32

Spoke with Cisco TAC. Apparently there is a bug with the c1841-advipservicesk9-mz.124-15.XY.bin image file on ACL's and that is why the ACL is not working.


This Discussion