I recently experienced a strange issue with an access list on a Cisco router which took me a while to fix so I thought it was worth sharing (as obscure as it is!)
As I have been pretty much working from home for the last few weeks (like everyone else) I needed to make some adjustments to my home network to make sure my work laptop wasn’t accessible from any of the many other devices that live there. Easy done, a new VLAN and some ACLs on my trusty Cisco 891F and all was good. Over the weekend I was working on a new project with one of my Raspberry Pis and some new mail order goodies and I needed to allow SSH access from my “Work from Home” VLAN. Easy done, just add some new ACL entries and off we go. Nope.
Raspberry Pi was on 192.168.40.50 and I was accessing from subnet 192.168.50.0
The lines in question were as below (this was for the return traffic), everything looked OK but I couldn’t connect via SSH.
60 permit tcp 192.168.40.0 0.0.0.255 eq 22 192.168.50.0 0.0.0.7
61 deny ip any 192.168.50.0 0.0.0.7
I spent a VERY long time troubleshooting this issue, adding logging and testing various scenarios.
To cut a long story short all I needed to do to fix it was run a resequence on the access list.
ip access-list resequence 100 10 10
Straight after running this, the ACL started behaving and I was able to connect to my Pi. I dont quite know what was wrong, maybe the ACL became corrupted somehow?
IOS was c800-universalk9-mz.SPA.157-3.M3.bin running on a C891F-K9