From: kshalavin@xxxxxx
Date: Fri Mar 03 2000 - 04:30:24 GMT-3
Ok, Manuel !
I saw this manual too.
BUT how to make the task :
There's a user for which you must create a dynamic ACL to permit www, telnet
and some other protocols.
I can set just one ACL on the interface to in and to out. And I can assign
just one dynamic ACL to this extended ACL. If IOS works only with first
entry what is the solution to accept other entries ???
Regards,
> Константин Шалавин,
инженер Технического отдела Производственного Центра IBS
> Konstantin Shalavin,Technical Center Engineer, IBS Production Unit
> tel : +7-(095)-967-8010;
> direct : +7-(095)-725-8118-tone-2487.
> fax : +7-(095)-967-8011
> pager : 974-0111 (#19053).
>
> -----Исходное сообщение-----
> От: Manuel Berrocal [SMTP:manueliux@yahoo.com]
> Отправлено: 2 марта 2000 г. 21:37
> Кому: Khurram Khani; kshalavin@ibs.ru; jekis@cisco.com
> Копия: ccielab@groupstudy.com
> Тема: Re: Ответ: Lock and Key , Dynamic Accesslist ?
>
>
> "Do NOT create more than one dynamic access list for any one access list.
> The
> software only refers to the first dynamic access list defined."
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr
> /secur_c/scprt3/sclock.htm#5329
>
> --- Khurram Khani <ajmal@emirates.net.ae> wrote:
> > Yep! the same is happening to me. IOS picks up the 1st
> > entry and ignores rest of dynamic entries ! And the best part
> > is , I removed access-list and simply swapped the two
> > entries and it works now.
> >
> > > access-list 101 dynamic testlist permit icmp any any
> > > access-list 101 dynamic testlist permit tcp any any eq telnet
> >
> > -----Original Message-----
> > From: kshalavin@ibs.ru <kshalavin@ibs.ru>
> > To: jekis@cisco.com <jekis@cisco.com>
> > Cc: ccielab@groupstudy.com <ccielab@groupstudy.com>
> > Date: Wednesday, March 01, 2000 12:34 PM
> > Subject: iO?AO: Lock and Key , Dynamic Accesslist ?
> >
> >
> > Hello Joel,
> > in Your sample there's just one dynamic entry with WWW access
> possibility.
> > Try to enter additional entry (f.e. for icmp ..).
> > When I tried to set multiple dynamic entry ACL works only with first
> entry.
> > When I run command 'show access-list' ACL with active dynamic entry I
> see
> > that was added similar dynamic entry (f.e. NOT two different entry just
> two
> > same string with permitting telnet).
> > I think IOS ignore all entry except first. Maybe it is bug.
> >
> > Regards,
> > > Константин Шалавин,
> > инженер Технического отдела Производственного Центра IBS
> > > Konstantin Shalavin,Technical Center Engineer, IBS Production Unit
> > > tel : +7-(095)-967-8010;
> > > direct : +7-(095)-725-8118-tone-2487.
> > > fax : +7-(095)-967-8011
> > > pager : 974-0111 (#19053).
> > >
> > > -----Исходное сообщение-----
> > > От: Joel W. Ekis [SMTP:jekis@cisco.com]
> > > Отправлено: 1 марта 2000 г. 3:19
> > > Кому: Khurram Khani; ccielab@groupstudy.com
> > > Тема: Re: Lock and Key , Dynamic Accesslist ?
> > >
> > > Here's the config I used to practice with:
> > >
> > > Dynamic
> > > username jim password foo
> > > username jim autocommand access-enable
> > > username mary password foo2
> > > access-list 100 permit tcp any host 10.1.1.2 eq telnet
> > > access-list 100 dynamic <name> timeout 60 permit tcp any host 1.1.1.1
> eq
> > > www
> > > line vty 0 4
> > > login local
> > >
> > > Jim can telnet to this router (10.1.1.2). He will authenticate with
> > > -foo-.
> > > Once authenticated, Jim will be disconnected and the dynamic list will
> > > open and
> > > allow web access to 1.1.1.1 for 5 minutes. Mary can establish a
> telnet
> > > session
> > > with the router (10.1.1.2) and gain enable access. Apply this list to
> > the
> > > interface that Jim will use when establishing the telnet session.
> > >
> > > Joel, CCIE# 5649
> > >
> > > At 11:21 PM 2/29/2000 -0800, Khurram Khani wrote:
> > > >
> > > > I am just trying the Lock-and-Key: Dynamic Access Lists.
> > > >
> > > > access-list 101 dynamic testlist permit icmp any any
> > > > access-list 101 dynamic testlist permit tcp any any eq telnet
> > > > access-list 101 permit tcp any host 11.1.1.1 eq telnet
> > > > access-list 101 deny tcp any any
> > > > access-list 101 deny ip any any
> > > >
> > > > The problem is, only 1st list is accepted when a user comes in
> > > > gives the instruction. Means the user is able to TELNET to
> > > > ANY but not ICMP to ANY.
> > > >
> > > > user-isdn>access-enable host timeout 10
> > > > user-isdn>exit
> > > > Connection closed by foreign host.
> > > >
> > > >
> > > > I just have these 4 URL on CCO to study, is there
> > > > any other descriptive article also available on Lock and Key
> > > > to study on CCO
> > > >
> > > >
> > > >
> > >
> >
> <http://www.cisco.com/warp/public/69/13.html>http://www.cisco.com/warp/pub
> > > > lic/69/13.html
> > > >
> > >
> >
> http://www.cisco.com/warp/public/cc/cisco/mkt/security/auth/tech/landk_wp.
> > > htm
> > > >
> > > >
> > >
> >
> <http://www.cisco.com/warp/public/116/15.html>http://www.cisco.com/warp/pu
> > > > blic/116/15.html
> > > > http://www.cisco.com/warp/public/129/19.html
> > > >
> > > > Plz advise
> > > >
> > > > Thanks
> > > > KHURRAM KHANI
> > > > -----
> > > > EMIRATES TELECOMMUNICATIONS CORP - ETISALAT
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:03 GMT-3