I have a router with an ACL configured on the external interface, I restrict access so only specific hosts can connect to it, there is a deny statement at the end of the ACL which it never seems to reach. I am able to ssh to the router from any host even though the ACL denies access, I have an identical router set up in the same wat which seems to be working fine. config below:
description Outside Interface
ip address A.B.C.D 255.255.254.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
Extended IP access list CSM_FW_ACL_GigabitEthernet0/0
11 permit icmp any any echo-reply
21 permit icmp any any time-exceeded (71 matches)
31 permit icmp any any unreachable (80 matches)
41 permit ip host x.147.110.244 any
51 permit ip host x.147.110.245 any (3443 matches)
61 permit ip host x.169.152.249 any (114 matches)
71 permit ip host x.169.152.251 any
81 permit ip host x.169.153.86 any
91 permit ip host x.169.152.116 any
101 permit ip host x.147.110.17 any
111 permit ip host x.196.60.102 any
121 permit ip host x.196.60.50 any
131 permit ip host x.97.169.18 any
141 permit udp any any eq bootps
151 permit udp any any eq bootpc
161 permit gre any any
171 permit esp any any (47057911 matches)
181 permit udp any any eq isakmp (15751 matches)
182 permit object-group udp-4500 any any (12210 matches)
183 permit object-group udp-848 any any
211 permit udp object-group ext-hst-22.214.171.124 any eq ntp
221 permit udp object-group ext-hst-126.96.36.199 any eq ntp
231 permit udp object-group ext-hst-188.8.131.52 any eq ntp
241 permit icmp any any echo
251 permit tcp any any established
252 permit object-group HSRP any object-group hst-int-184.108.40.206
I see that there are multiple object groups configured and wonder about the possibility that some object group has a more broad permit than the names suggest.
Perhaps one way to get some insight into the issue would be to issue the show access list command, note all the counters. Then do the SSH from an outside host. Then do show access list again and look for statements where the counter has increased.
Re: Router ignoring ACL applied to external interface
You raise an interesting point that for SSH access to be successful it must be permitted by the access-class on the vty - if an access-class is configured. But you are a bit off the mark in saying that ACL controls traffic through the router, not traffic connecting to the router. Traffic to the router must be permitted by the interface inbound ACL as well as by the access-class. If the SSH request is really coming through the interface Gig0/0 then the interface ACL must permit it or else the SSH request would fail.
So perhaps there are several possibilities to check on. As I suggested in my previous response, I wonder if there is some statement which permits more traffic than its name suggests. And the possibility that the SSH request is not getting to the router through interface Gig0/0.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...