From: Khurram Khani (ajmal@xxxxxxxxxxxxxxx)
Date: Thu Mar 02 2000 - 06:18:33 GMT-3
Yep! the same is happening to me. IOS picks up the 1st
entry and ignores rest of dynamic entries ! And the best part
is , I removed access-list and simply swapped the two
entries and it works now.
> access-list 101 dynamic testlist permit icmp any any
> access-list 101 dynamic testlist permit tcp any any eq telnet
-----Original Message-----
From: kshalavin@ibs.ru <kshalavin@ibs.ru>
To: jekis@cisco.com <jekis@cisco.com>
Cc: ccielab@groupstudy.com <ccielab@groupstudy.com>
Date: Wednesday, March 01, 2000 12:34 PM
Subject: iO?AO: Lock and Key , Dynamic Accesslist ?
Hello Joel,
in Your sample there's just one dynamic entry with WWW access possibility.
Try to enter additional entry (f.e. for icmp ..).
When I tried to set multiple dynamic entry ACL works only with first entry.
When I run command 'show access-list' ACL with active dynamic entry I see
that was added similar dynamic entry (f.e. NOT two different entry just two
same string with permitting telnet).
I think IOS ignore all entry except first. Maybe it is bug.
Regards,
> Константин Шалавин,
инженер Технического отдела Производственного Центра IBS
> Konstantin Shalavin,Technical Center Engineer, IBS Production Unit
> tel : +7-(095)-967-8010;
> direct : +7-(095)-725-8118-tone-2487.
> fax : +7-(095)-967-8011
> pager : 974-0111 (#19053).
>
> -----Исходное сообщение-----
> От: Joel W. Ekis [SMTP:jekis@cisco.com]
> Отправлено: 1 марта 2000 г. 3:19
> Кому: Khurram Khani; ccielab@groupstudy.com
> Тема: Re: Lock and Key , Dynamic Accesslist ?
>
> Here's the config I used to practice with:
>
> Dynamic
> username jim password foo
> username jim autocommand access-enable
> username mary password foo2
> access-list 100 permit tcp any host 10.1.1.2 eq telnet
> access-list 100 dynamic <name> timeout 60 permit tcp any host 1.1.1.1 eq
> www
> line vty 0 4
> login local
>
> Jim can telnet to this router (10.1.1.2). He will authenticate with
> -foo-.
> Once authenticated, Jim will be disconnected and the dynamic list will
> open and
> allow web access to 1.1.1.1 for 5 minutes. Mary can establish a telnet
> session
> with the router (10.1.1.2) and gain enable access. Apply this list to the
> interface that Jim will use when establishing the telnet session.
>
> Joel, CCIE# 5649
>
> At 11:21 PM 2/29/2000 -0800, Khurram Khani wrote:
> >
> > I am just trying the Lock-and-Key: Dynamic Access Lists.
> >
> > access-list 101 dynamic testlist permit icmp any any
> > access-list 101 dynamic testlist permit tcp any any eq telnet
> > access-list 101 permit tcp any host 11.1.1.1 eq telnet
> > access-list 101 deny tcp any any
> > access-list 101 deny ip any any
> >
> > The problem is, only 1st list is accepted when a user comes in
> > gives the instruction. Means the user is able to TELNET to
> > ANY but not ICMP to ANY.
> >
> > user-isdn>access-enable host timeout 10
> > user-isdn>exit
> > Connection closed by foreign host.
> >
> >
> > I just have these 4 URL on CCO to study, is there
> > any other descriptive article also available on Lock and Key
> > to study on CCO
> >
> >
> >
> <http://www.cisco.com/warp/public/69/13.html>http://www.cisco.com/warp/pub
> > lic/69/13.html
> >
> http://www.cisco.com/warp/public/cc/cisco/mkt/security/auth/tech/landk_wp.
> htm
> >
> >
> <http://www.cisco.com/warp/public/116/15.html>http://www.cisco.com/warp/pu
> > blic/116/15.html
> > http://www.cisco.com/warp/public/129/19.html
> >
> > Plz advise
> >
> > Thanks
> > KHURRAM KHANI
> > -----
> > EMIRATES TELECOMMUNICATIONS CORP - ETISALAT
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:03 GMT-3