Display matches showing outpu of "show access-lists"

what is the router model number and Cisco IOS version in use on the router that you are having problems with ?

You probably need to add a deny ip any any at the end of the ACL to see a match count for denies

I can't see matches on an access list I built giving the command in the subject. How can I enable it?

Thanks, Alex.

wildcard mask should be 0.0.0.31

Extended IP access list 130 10 permit ip 10.135.2.192 0.0.0.32 192.168.31.0 0.0.0.255 Extended IP access list 131 10 permit ip 10.135.2.192 0.0.0.32 any Extended IP access list vty-access 10 permit tcp A.B.C.D 0.0.0.32 any eq 22 20 permit tcp host E.F.G.H any 30 permit tcp 192.168.31.0 0.0.0.255 any eq 22 40 permit tcp 192.168.31.0 0.0.0.255 any eq telnet 50 permit tcp 10.135.2.192 0.0.0.32 any eq 22 60 permit tcp 10.135.2.192 0.0.0.32 any eq telnet

I'm trying to understand why my router refuses telnet and ssh connections when I apply the ACL extended (to line vty 0 4). In other routers I remember to not give any particular command for see matches.

Alex.

Seems that this is not true (anymore) as you can see in following output:

r3# r3#sh access-lists Standard IP access list 55 10 permit 5.5.5.0, wildcard bits 0.0.0.255 (21 matches) Standard IP access list 66 10 permit 6.6.6.0 (10 matches) r3# r3#sh run | incl access-li access-list 55 permit 5.5.5.0 0.0.0.255 access-list 66 permit 6.6.6.0 r3# r3# r3#sh ver | incl Vers IOS (tm) C2600 Software (C2600-J1S3-M), Version 12.2(15)T14, RELEASE SOFTWARE (fc4) ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1) ROM: C2600 Software (C2600-J1S3-M), Version 12.2(15)T14, RELEASE SOFTWARE (fc4) X.25 software, Version 3.0.0. r3#

the sub-network mask and the wildcard mask should "add up" to

255.255.255.255

225.225.255.224 000.000.000.031 --------------- 255.255.255.255

System image file is "flash:c837-k9o3sy6-mz.123-11.T2.bin"

router 837

Alex.

I mean, I tried to connect to the router and my client told me "Connection refused". Do you think that this rejection ougth to be traced on number of matches for the access-list?

Alex.

You are correct. Now when I try to connect to router from the router itself and I give a "sh access-lists" I can see the counter of "deny any any" going up.

Now the problem is which IP the telnet client presents itself with when it tries to connect to the server (remember I'm doing telnet and ssh from the console connection towards the router itself).Even if I try to connect from another IP in the LAN, if the ACL vty-access is applied, the router refuses connections.

I did "debug ip packet". I have the following output when connecting (the eo interface has 10.135.2.222)

Router#telnet 10.135.2.222 Trying 10.135.2.222 ... % Connection refused by remote host

Router#debug ip packet

*Mar 2 02:53:40.590: IP: tableid=0, s=10.135.2.222 (local), d=10.135.2.222 (Ethernet0), routed via RIB *Mar 2 02:53:40.590: IP: s=10.135.2.222 (local), d=10.135.2.222 (Ethernet0), len 44, sending *Mar 2 02:53:40.590: IP: tableid=0, s=10.135.2.222 (Ethernet0), d=10.135.2.222(Ethernet0), routed via RIB *Mar 2 02:53:40.594: IP: s=10.135.2.222 (Ethernet0), d=10.135.2.222 (Ethernet0), len 44, rcvd 3 *Mar 2 02:53:40.594: IP: tableid=0, s=10.135.2.222 (local), d=10.135.2.222 (Ethernet0), routed via RIB *Mar 2 02:53:40.594: IP: s=10.135.2.222 (local), d=10.135.2.222 (Ethernet0), len 40, sending *Mar 2 02:53:40.594: IP: tableid=0, s=10.135.2.222 (Ethernet0), d=10.135.2.222(Ethernet0), routed via RIB *Mar 2 02:53:40.594: IP: s=10.135.2.222 (Ethernet0), d=10.135.2.222 (Ethernet0), len 40, rcvd 3

with the following access-list

Extended IP access list 130 10 permit ip 10.135.2.192 0.0.0.32 192.168.31.0 0.0.0.255 Extended IP access list 131 10 deny ip 10.135.2.192 0.0.0.32 192.168.31.0 0.0.0.255 10 permit ip 10.135.2.192 0.0.0.32 any Extended IP access list vty-access 10 permit tcp A.B.C.D 0.0.0.32 any eq 22 20 permit tcp host E.F.G.H any 30 permit tcp 192.168.31.0 0.0.0.255 any eq 22 40 permit tcp 192.168.31.0 0.0.0.255 any eq telnet 50 permit tcp 10.135.2.192 0.0.0.32 any eq 22 60 permit tcp 10.135.2.192 0.0.0.32 any eq telnet 70 deny ip any any (6 matches)

The 6 matches come up by the rejections of the telnet coonnections. It seems the source IP of the packets for incoming telnet connection is not of ones allowed. Which one is it???

Is the IP 10.135.2.222 in the allowed subnet 10.135.2.192 255.255.255.224? I think so.

Have you any idea? Remember that when I disapply the access-list I can connect to the router.

Alex.

Great! I solved all refused connections from nets with that subnet mask. I must take more attention on mask different from 0.0.0.255 Moreover you indirectly solved another problem for me.

Thank a lot! Alex.