ACL Supposed to Block Telnet But SSH Also Blocked
Presenting Symptom
Telnet connections to the router are blocked, but SSH connections are also unexpectedly blocked.
Network Context
A small branch office with a Cisco 4321 router running IOS XE 16.9. The router has an IPv4 ACL applied inbound on the WAN interface to allow only Telnet from a specific management subnet, but SSH is also being denied. The router is configured for both Telnet and SSH access.
Diagnostic Steps
Check the ACL configuration applied to the interface
show access-listsExtended IP access list BLOCK_TELNET
10 permit tcp 192.168.1.0 0.0.0.255 any eq telnet
20 deny ip any anyThe ACL only permits Telnet (port 23) and denies all other IP traffic. SSH uses TCP port 22, which is not explicitly permitted, so it is denied by the implicit deny any at the end.
Verify which interface the ACL is applied to and direction
show running-config interface GigabitEthernet0/0/0interface GigabitEthernet0/0/0 ip address 10.0.0.1 255.255.255.0 ip access-group BLOCK_TELNET in
The ACL is applied inbound on the WAN interface. This means all incoming traffic, including SSH, is filtered. Since SSH is not permitted, it is blocked.
Check if SSH is configured and listening
show ip sshSSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3
SSH is enabled and running. The problem is not that SSH is disabled, but that the ACL is blocking it.
Check the VTY line configuration for allowed protocols
show running-config | section line vtyline vty 0 4 transport input telnet ssh login local
The VTY lines allow both Telnet and SSH. The ACL is the only thing blocking SSH.
Root Cause
The ACL named BLOCK_TELNET only permits TCP port 23 (Telnet) and denies all other IP traffic. SSH uses TCP port 22, which is not permitted, so it is blocked by the implicit deny any at the end of the ACL.
Resolution
Verification
Run 'show access-lists' to confirm the new entry: Extended IP access list BLOCK_TELNET 10 permit tcp 192.168.1.0 0.0.0.255 any eq telnet 20 permit tcp 192.168.1.0 0.0.0.255 any eq 22 30 deny ip any any Then test SSH from the management subnet: it should succeed.
Prevention
["When creating ACLs to permit specific services, always include all required protocols (e.g., both Telnet and SSH) to avoid unintended blocking.","Use object groups or named ACLs with clear comments to document the purpose of each entry.","Test ACLs with a management station before deploying to production to ensure all necessary traffic is permitted."]
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario tests understanding of ACLs and how they filter traffic based on port numbers. Expect multiple-choice or drag-and-drop questions where you must identify why SSH is blocked when only Telnet is permitted, or configure an ACL to allow both. Key fact: ACLs evaluate entries sequentially and end with an implicit deny any.
Exam Tips
Remember that ACLs have an implicit deny any at the end; if a protocol is not explicitly permitted, it is denied.
The order of ACL entries matters; place more specific entries before general ones.
Know that SSH uses TCP port 22 and Telnet uses TCP port 23; these are common port numbers tested.
Commands Used in This Scenario
show access-lists
Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.
show ip ssh
Displays the status and configuration of SSH server on the Cisco IOS device, used to verify SSH is enabled and check connection details.
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions