Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

ACL question

Would you please explain me why the following ACL’s do not work. I purchased block of 8 IP addresses from ISP (ADSL connection). I have received the following from ISP:” IP’s 194.252.157.248/29 all traffic is routed to IP address 194.252.157.249”

Setup (Cisco 1712):

Wan interface (Dialer): 194.252.157.249/31

Vlan 1(Local Network): 192.168.1.1/24

Vlan 2(Public IP address): 194.252.157.253/30 - 194.252.157.254 goes to Web/mail server

I am trying to limit SSH access only to IP address 194.252.157.254 and 194.252.157.249 with no success. I can only achieve SSH access if I have statement: “access-list 101 permit tcp any any eq 22 login” ACL. If I try with:

access-list 101 permit tcp any host 194.252.157.249 eq 22 log” and “access-list 101 permit tcp any host 194.252.157.254 eq 22 log” all SSH connection are disconnected.

Thank you and kind regards,

M

2 REPLIES
Hall of Fame Super Gold

Re: ACL question

Marko

I assume from your statement that addresses 194.252.157.249 and 194.252.157.254 are the destinations that SSH should connect to (which would allow SSH to the router dialer address and to the server). When you say that SSH sessions are disconnected if you use the specific access list entries, where were the SSH connections connected to when you tried this (what address was specified in the SSH command to make the connection)?

A good approach to troubleshooting ACL problems is to use the log parameter on the deny statements - which your access list does do. So you should be able to look in the log from the router, find the packets that were denied, and get some indicator of what did not match (what address were they using as destination)?

HTH

Rick

New Member

Re: ACL question

Dear Rick,

I was trying to achieve that I would be able to connect from any public address to only those two IP addresses.

I think I did it. I have put following entries in ACL:

permit tcp any host 194.252.157.249 eq 22 (528 matches)

permit tcp any host 194.252.157.254 eq 22 (25 matches)

deny tcp any any eq 22 (24 matches)

Thank you for your help and kind regards,

Marko

229
Views
0
Helpful
2
Replies
CreatePlease to create content