Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ACL problem on 1841

I am having a problem with and ACL blocking SSH from the outside interface. I do not want users to SSH my router from the outside at all. Here is my ACL and the way it is applied to the interface that faces the internet.

ip access-list extended OUTSIDE_IN

permit udp any any eq isakmp

permit esp any any

permit gre any any

deny ip any any log

interface FastEthernet0/0

description *****WAN_CONNECTION*****

ip address x.x.x.x 255.255.255.x

ip access-group OUTSIDE_IN in

ip nat outside

ip inspect FW_OUT out

ip virtual-reassembly

duplex auto

speed auto

I have a explicit deny all and it still allows SSH sessions from the outside. This seems to be so simple and I have did this on a test router and it works, just not on my production router. Any idea's?

Attached is the entire config.

3 REPLIES
Cisco Employee

Re: ACL problem on 1841

If you do not want anyone to ssh to the router then you can remove this line

line vty 0 4

transport input ssh -----> remove

transport output ssh

Or you can do an acl like this one below

conf t

access-list 10 permit 10.10.10.0 0.0.0.255

line vty 0 4

access-class 10 in

This will only allow ip addresses in the 10.10.10.0/24 subnet to be able to ssh to the router.

Re: ACL problem on 1841

If you remove transport input ssh, no one can SSH into the router. The second option is correct. Create an ACL that allows the IP's that you want to be able to connect to the router.

access-list 50 permit 192.168.1.55

Then apply the ACL to the VTY lines.

line vty 0 4

access-class 50 in

New Member

Re: ACL problem on 1841

Spoke with Cisco TAC. Apparently there is a bug with the c1841-advipservicesk9-mz.124-15.XY.bin image file on ACL's and that is why the ACL is not working.

159
Views
0
Helpful
3
Replies
CreatePlease to create content