Thursday, June 13, 2019

Cisco IP Access List has no effect

I'm probably having a brain fart but for whatever reason this access-list isn't working. I'm trying to lock down SSH access to a host and allowing all other traffic.

IOS-XE ASR903 "bootflash:asr900rsp3-universalk9_npe.16.09.01a.SPA.bin"

ip access-list extended RESTRICT_SSH_LOGIN

permit tcp host 10.0.0.20 host 172.16.0.100 eq 22

deny tcp any host 172.16.0.100 eq 22

permit ip any any

interface BDI100

ip address 172.16.0.1 255.255.255.0

ip access-group RESTRICT_SSH_LOGIN in

This is the only ACL on this interface and it seems ACL isn't having any effect. Other hosts in 10.0.0.0/24 are still able to SSH to 172.16.0.100.

sh ip access-lists isn't showing any matches.

Any ideas?



No comments:

Post a Comment