The intention here was to create a access-list that would permit any device with an IP from two different /24 subnets (lets call them 192.168.1.0 and 192.168.2.0) to SSH into the ISR while denying anyother IPs. so I created the following standard access list.
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
Then while connected to the 192.168.1.0 subnet I tried to SSH into the ISR via putty and get a error stating the connection was refused.
When the following lines are removed I am able to SSH into the ISR without issue. (i have already done the SSH Configuration on the ISR to use a Large RSA key and to use SSH 2.0)
line vty 0 4
access-class 1 in
line vty 5 15
access-class 1 in
I cannot for the life of me figure out why this simple access-list is blocking traffic when it should not? I am a bit of a novice with Cisco IOS so it probably some tiny detail I missed.
Below is the current config of the vty lines and the ACLs:
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 1 in
login authentication local
transport input ssh
line vty 5 15
access-class 1 in
login authentication local
transport input ssh
!
!
end
Best Answer
If you want to ssh to the router through MGMT interface,you must add vrf-also after the command in new version, just as following: