access-list for ssh

So I have created an ACL on a 2811 router for my ssh access and applied in to the line vty. The ACL basically is restricting access to specific IP subnet but  I am having an issue.

If  I do (which is more general)
access-list 10 permit 10.153.0.0 0.0.0.255
and apply this to line VTY inbound, I can't get in the router from 10.153.0.0 subnet.

If I do something like this, (very specific)
access-list 10 permit host 10.153.0.15
and apply to VTY on inbound, I can get in just fine.

line vty 0 4
access-class 10 in

Open in new window

LVL 3
Shark AttackNetwork adminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
So what's the question (or problem)?
0
Bryant SchaperCommented:
is 10.153.0.15 where you are trying from.
0
Shark AttackNetwork adminAuthor Commented:
yes, 10.153.0.15 for example. if I ssh from 10.153.0.15 i should be able to get in no matter what acl i use above. but the acl with 10.153.0.0 0.0.0.255 is not letting me in. How come? if it's 10.153.0.0 0.0.0.255 that should be anything from 10.153.0.0 to 10.153.0.255
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Don JohnstonInstructorCommented:
You're right. It should allow access.

Can you post the ACL and the vty config section.  And please copy/paste the config info from the running-config as opposed to simply typing it in here.
0
Shark AttackNetwork adminAuthor Commented:
Ok, I don't know how this happened but it's working now. Configs did not change.
Literally, when I applied the ACL with the wildmask, I would not be able to login until i took the ACL off. The second I took the ACL off, i was able to get in. I dont get it but it works now and I see counters on the ACL so it does work. thank you all
0
nader alkahtaniNetwork EngineerCommented:
You have to end the ACL with :
Aceess-list  10 permit ip any any
0
Shark AttackNetwork adminAuthor Commented:
that was defeat the purpose of the acl
0
Shark AttackNetwork adminAuthor Commented:
Since the standard acl worked, could anyone actually show me how i could create an extended acl ?

What I did was,
ip access-list extended SSH permit tcp 10.153.0.0 0.0.0.255 eq 22 any eq 22

But the above did not work.
0
Don JohnstonInstructorCommented:
ip access-list extended SSH permit tcp 10.153.0.0 0.0.0.255 eq 22 any eq 22

should be:

ip access-list extended SSH permit tcp 10.153.0.0 0.0.0.255 any eq 22
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shark AttackNetwork adminAuthor Commented:
Thank you!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.