From: Manuel Berrocal (manueliux@xxxxxxxxx)
Date: Thu Mar 02 2000 - 15:37:05 GMT-3
"Do NOT create more than one dynamic access list for any one access list. The
software only refers to the first dynamic access list defined."
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secu
r_c/scprt3/sclock.htm#5329
--- Khurram Khani <ajmal@emirates.net.ae> wrote:
> Yep! the same is happening to me. IOS picks up the 1st
> entry and ignores rest of dynamic entries ! And the best part
> is , I removed access-list and simply swapped the two
> entries and it works now.
>
> > access-list 101 dynamic testlist permit icmp any any
> > access-list 101 dynamic testlist permit tcp any any eq telnet
>
> -----Original Message-----
> From: kshalavin@ibs.ru <kshalavin@ibs.ru>
> To: jekis@cisco.com <jekis@cisco.com>
> Cc: ccielab@groupstudy.com <ccielab@groupstudy.com>
> Date: Wednesday, March 01, 2000 12:34 PM
> Subject: iO?AO: Lock and Key , Dynamic Accesslist ?
>
>
> Hello Joel,
> in Your sample there's just one dynamic entry with WWW access possibility.
> Try to enter additional entry (f.e. for icmp ..).
> When I tried to set multiple dynamic entry ACL works only with first entry.
> When I run command 'show access-list' ACL with active dynamic entry I see
> that was added similar dynamic entry (f.e. NOT two different entry just two
> same string with permitting telnet).
> I think IOS ignore all entry except first. Maybe it is bug.
>
> Regards,
> > Константин Шалавин,
> инженер Технического отдела Производственного Центра IBS
> > Konstantin Shalavin,Technical Center Engineer, IBS Production Unit
> > tel : +7-(095)-967-8010;
> > direct : +7-(095)-725-8118-tone-2487.
> > fax : +7-(095)-967-8011
> > pager : 974-0111 (#19053).
> >
> > -----Исходное сообщение-----
> > От: Joel W. Ekis [SMTP:jekis@cisco.com]
> > Отправлено: 1 марта 2000 г. 3:19
> > Кому: Khurram Khani; ccielab@groupstudy.com
> > Тема: Re: Lock and Key , Dynamic Accesslist ?
> >
> > Here's the config I used to practice with:
> >
> > Dynamic
> > username jim password foo
> > username jim autocommand access-enable
> > username mary password foo2
> > access-list 100 permit tcp any host 10.1.1.2 eq telnet
> > access-list 100 dynamic <name> timeout 60 permit tcp any host 1.1.1.1 eq
> > www
> > line vty 0 4
> > login local
> >
> > Jim can telnet to this router (10.1.1.2). He will authenticate with
> > -foo-.
> > Once authenticated, Jim will be disconnected and the dynamic list will
> > open and
> > allow web access to 1.1.1.1 for 5 minutes. Mary can establish a telnet
> > session
> > with the router (10.1.1.2) and gain enable access. Apply this list to
> the
> > interface that Jim will use when establishing the telnet session.
> >
> > Joel, CCIE# 5649
> >
> > At 11:21 PM 2/29/2000 -0800, Khurram Khani wrote:
> > >
> > > I am just trying the Lock-and-Key: Dynamic Access Lists.
> > >
> > > access-list 101 dynamic testlist permit icmp any any
> > > access-list 101 dynamic testlist permit tcp any any eq telnet
> > > access-list 101 permit tcp any host 11.1.1.1 eq telnet
> > > access-list 101 deny tcp any any
> > > access-list 101 deny ip any any
> > >
> > > The problem is, only 1st list is accepted when a user comes in
> > > gives the instruction. Means the user is able to TELNET to
> > > ANY but not ICMP to ANY.
> > >
> > > user-isdn>access-enable host timeout 10
> > > user-isdn>exit
> > > Connection closed by foreign host.
> > >
> > >
> > > I just have these 4 URL on CCO to study, is there
> > > any other descriptive article also available on Lock and Key
> > > to study on CCO
> > >
> > >
> > >
> >
> <http://www.cisco.com/warp/public/69/13.html>http://www.cisco.com/warp/pub
> > > lic/69/13.html
> > >
> >
> http://www.cisco.com/warp/public/cc/cisco/mkt/security/auth/tech/landk_wp.
> > htm
> > >
> > >
> >
> <http://www.cisco.com/warp/public/116/15.html>http://www.cisco.com/warp/pu
> > > blic/116/15.html
> > > http://www.cisco.com/warp/public/129/19.html
> > >
> > > Plz advise
> > >
> > > Thanks
> > > KHURRAM KHANI
> > > -----
> > > EMIRATES TELECOMMUNICATIONS CORP - ETISALAT
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:03 GMT-3