Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ACL question

Would you please explain me why the following ACL’s do not work. I purchased block of 8 IP addresses from ISP (ADSL connection). I have received the following from ISP:” IP’s all traffic is routed to IP address”

Setup (Cisco 1712):

Wan interface (Dialer):

Vlan 1(Local Network):

Vlan 2(Public IP address): - goes to Web/mail server

I am trying to limit SSH access only to IP address and with no success. I can only achieve SSH access if I have statement: “access-list 101 permit tcp any any eq 22 login” ACL. If I try with:

access-list 101 permit tcp any host eq 22 log” and “access-list 101 permit tcp any host eq 22 log” all SSH connection are disconnected.

Thank you and kind regards,


Hall of Fame Super Gold

Re: ACL question


I assume from your statement that addresses and are the destinations that SSH should connect to (which would allow SSH to the router dialer address and to the server). When you say that SSH sessions are disconnected if you use the specific access list entries, where were the SSH connections connected to when you tried this (what address was specified in the SSH command to make the connection)?

A good approach to troubleshooting ACL problems is to use the log parameter on the deny statements - which your access list does do. So you should be able to look in the log from the router, find the packets that were denied, and get some indicator of what did not match (what address were they using as destination)?



New Member

Re: ACL question

Dear Rick,

I was trying to achieve that I would be able to connect from any public address to only those two IP addresses.

I think I did it. I have put following entries in ACL:

permit tcp any host eq 22 (528 matches)

permit tcp any host eq 22 (25 matches)

deny tcp any any eq 22 (24 matches)

Thank you for your help and kind regards,


CreatePlease to create content