Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL: permit local "any" works but not host IP ...

Status
Not open for further replies.
MWM

MWM

MIS
Aug 9, 2001
200
Guys, I am baffled: how to remote ssh into a local host ...
I can ssh within the inside subnet (192.168.1.xxx) and remote ssh works IF the acl line is:

"... permit tcp any any eq 22 log-input."

But it fails if I use:

"... permit tcp any host 192.168.1.xxx eq 22 log-input."

Of course there is a static route,

"IP nat inside source static tcp 192.168.1.xxx 22 67.125.xxx.xxx 22 extendable."

Why does the specific host IP declaration cause it to fail? (Yes, that inside host IP is the correct address!)

Thanks for all your help many times before
mwm
 
Sort by date Sort by votes
where is this acl applied?
if its applied before the nat process has taken place then it will not work because the ssh request isn't to your internal address... it was made to your external address.
 
Upvote 0 Downvote
also, and I'm not 100% positive of this, but does SSH talk 22 to 22? or does it talk high-port to 22? If the latter then the issue could be your source port in the ACL....
 
Upvote 0 Downvote
ssh server listens on port 22..
the reply will be on a high port as the tcp socket is established.
that acl wouldn't be inspecting the outbound traffic though so it will be ok to simply look at port 22 for the incoming connection..

i suspect he has this acl on his wan interface.. and that the order of operations is acl and then nat...

so if the rule is based on the natted ip.. the acl would have to go on the lan interface...
or simply leave it as "any eq ssh" on the wan.
this assumes that you have a dynamic ip because if your ip is static then you could just right the acl using the wan address.
 
Upvote 0 Downvote
Thanks, plshlpme and jimfixit-- the acl is, as you guessed, on the wan interface. In this case, it is dsl and the acl is on the wan interface BVI1 & the acl line is, "... access-group 103 in."

Yes, I do recall the order of operation issue and I now have O'Reilly's book, "Cisco IOS Access Lists," which has some interesting explanatory info in addition to that in some of my Cisco books.

It seems, too, that an acl line using a specific inside destination address and applied as I have done, on the wan incoming packets, would not have any effect at all, right?

That is, the router in its order of operations does not know about any inside addresses or inside subnet at this point, so any reference to an inside IP such as 192.68.1.xxx would not be in its internal lookup table and thus not be applied at all.
Right?

Thanks a million, guys. This is great help.
mwm
 
Upvote 0 Downvote
... I also found this article of Cisco's order of operations and it seems to make the same point regarding the fact that the acl is done prior to NAT (and also prior to routing).

Thanks a million, guys.

FYI, it points out that there is also another order of operations having to do with QoS, if used.



mwm
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

woza
  • Locked
  • Question
GNS3: Delete the lines "transport preferred none"
Replies
1
Views
519
DrB0b
DrB0b
B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
212
badwolf1686
B
jobsp90
  • Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
229
DavetheChef
DavetheChef
darthvader167
  • Locked
  • Question
"Wait while I transfer your call"
Replies
0
Views
266
darthvader167
darthvader167
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
272
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top