From: Mike Williams (ccie2be@swbell.net)
Date: Fri Jun 06 2003 - 12:39:16 GMT-3
Thanks for the comments. One more time I will say tho:
I am *not* using the host keyword in the autocommand, but it *is* doing
what you all are telling me I need the host keyword to do. I'm not
griping about it, just pointing out that even without the host keyword
that it is indeed allowing whatever host authenticates to pass through.
So let's recap.
1) I do NOT have "any" for the source in the dyn ACL entry
2) I do NOT have the "host" keyword on the autocommand
and
3) It DOES use whatever host IP authenticates in the dynamic ACL.
Please review my output from my first post and you will see that this is
the case. Again, I'm not griping, as now I understand how the dyn ACL
entry works, however, it would appear (short of a bug in my particular
IOS) that you do NOT need the 'host' keyword in the autocommand to allow
ANY host that wants to use the dyn ACL entry.
Mike W.
-----Original Message-----
From: kasturi cisco [mailto:kasturi_cisco@hotmail.com]
Sent: Friday, June 06, 2003 10:21 AM
To: ccie2be@swbell.net; ccielab@groupstudy.com
Subject: RE: Strange quirk in Dynamic ACLs?!?! (Not really)
Mike,
When u create the dynamic ACL instead of giving the source address of
150.50.7.7 change it to "any" and also use the autcommand with keyword
"host" and not IP address and then observe the results (with and without
"host" keyword in autcommand). Also as we can have only one Dynamic ACL
entry, hence it makes sense to have "any" in for source address.
By giving the "any" instead of source address, any host which gets
authenticated will have its IP address substituted in the dynamic ACL.
"host" keyword in autocommand is needed to have this function.
access-list 101 dynamic R2-TELNET permit tcp any host 150.50.100.2 eq
telnet
Let us know.
Good Luck,
Kasturi.
>From: "Mike Williams"
>Reply-To: "Mike Williams"
>To: "'CCIELab@Groupstudy.com'"
>Subject: RE: Strange quirk in Dynamic ACLs?!?! (Not really)
>Date: Fri, 6 Jun 2003 07:46:34 -0500
>
>Fabrice,
>
>Here's the thing tho. Even without the 'host' keywork, the dynamic ACL
>IS only opening a hole for the host that originated the telnet session.
>That's what I was trying to get at. See the output from 'sh
>access-list' below in my previous post.
>
>Mike W.
>
>-----Original Message-----
>From: Fabrice Bobes [mailto:study@6colabs.com]
>Sent: Friday, June 06, 2003 12:00 AM
>To: 'Mike Williams'
>Cc: 'CCIELab@Groupstudy.com'
>Subject: RE: Strange quirk in Dynamic ACLs?!?! (Not really)
>
>
>Mike,
>
>Well, you need to add the "host" keyword. It opens a hole only for the
>"host" which originated the telnet session.
>
>Thanks,
>
>Fabrice
>http://www.6colabs.com
>
>
>-----Original Message-----
>From: Mike Williams [mailto:ccie2be@swbell.net]
>Sent: Thursday, June 05, 2003 9:50 PM
>To: 'Fabrice Bobes'
>Cc: CCIELab@Groupstudy.com
>Subject: RE: Strange quirk in Dynamic ACLs?!?! (Not really)
>
>Fabrice,
>
>Just 'access-enable'.
>
>Mike W.
>
>-----Original Message-----
>From: Fabrice Bobes [mailto:study@6colabs.com]
>Sent: Thursday, June 05, 2003 11:02 PM
>To: 'Mike Williams'
>Subject: RE: Strange quirk in Dynamic ACLs?!?! (Not really)
>
>
>Mike,
>
>Just a thought: are you using "access-enable" or "access-enable host"
in
>your config?
>
>Fabrice
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Mike Williams
>Sent: Thursday, June 05, 2003 6:38 PM
>To: CCIELab@Groupstudy.com
>Subject: Strange quirk in Dynamic ACLs?!?! (Not really)
>
>Get this........ working through a scenario using Dynamic ACLs. In this
>situation, I've setup a router (R5) so that it denies telnet access to
>R2 (150.50.100.2) from both R7 (150.50.7.7) and R8 (150.50.5.69).
>
>access-list 101 dynamic R2-TELNET permit tcp host 150.50.7.7 host
>150.50.100.2 eq telnet
>access-list 101 deny tcp host 150.50.5.69 host 150.50.100.2 eq telnet
>access-list 101 deny tcp host 150.50.7.7 host 150.50.100.2 eq telnet
>access-list 101 permit ip any any
>
>Now.... when I telnet into R5 from R7, I can authenticate, it
>disconnects me, then telnet to R2 from R7. Here's the 'sh access-list'
>from R5 after R7 authenticates:
>
>R5#sh access-list
>Extended IP access list 101
> Dynamic R2-TELNET permit tcp host 150.50.7.7 host 150.50.100.2 eq
>telnet
> permit tcp host 150.50.7.7 host 150.50.100.2 eq telnet (20
>matches) (time left 1746)
> deny tcp host 150.50.5.69 host 150.50.100.2 eq telnet (4 matches)
> deny tcp host 150.50.7.7 host 150.50.100.2 eq telnet (2 matches)
> permit ip any any (200 matches)
>
>(Ignore the number of matches shown here as I had to copy/paste this
>output together to show what I saw) No problems so far. It appears as
>if, by authenticating from R7, that the dynamic entry R2-TELNET was
>simply copied over as a "temporary" ACL entry. So then I cleared the
>dynamic entries ("clear access-template 101 R2-TELNET any any"), and
>wanted to see what would happen if I tried to do this from R8. I was
>under the assumption that if I authenticated from R8 that the dynamic
>ACL entry would again be duplicated verbatim and R7 would be able to
>telnet to R2.
>
>When I connected to R5 from R8, I did the usual authentication and
>disconnection. However, when I tried to telnet from R7 to R2, I was
>denied, so I checked the access-list on R5 and found this:
>
>R5#sh access-list
>Extended IP access list 101
> Dynamic R2-TELNET permit tcp host 150.50.7.7 host 150.50.100.2 eq
>telnet
> permit tcp host 150.50.5.69 host 150.50.100.2 eq telnet (20
>matches) (time left 1672)
> deny tcp host 150.50.5.69 host 150.50.100.2 eq telnet (4 matches)
> deny tcp host 150.50.7.7 host 150.50.100.2 eq telnet (2 matches)
> permit ip any any (200 matches)
>
>Strangely enough, I could telnet then from R8 to R2. So I'm really
>confused at why, when my dynamic entry specifically permits host
>150.50.7.7 to telnet to 150.50.100.2, when I authenticated from R8 to
R5
>to "start" the dynamic entry, it chose to substitute the IP of R8 for
>the 150.50.7.7 that I explicitly put in the dynamic ACL entry. This
>isn't documented in the IOS Configuration Guide at all. I'm not
>complaining as I enjoy really learning how this stuff works, but I'm
>confused at how the docs would fail to mention this stuff (although I'm
>willing to admit that perhaps it's documented somewhere that I haven't
>seen, so if you know, please share).
>
>Any thoughts on this behavior?
>
>Mike W.
>
>PS: Since writing this post (which I'm GOING to send, just because it
>may be helpful to someone else) I reread the chapter on dynamic ACLs
>from the DocCD. It generically talks about how a dyn ACL "temporarily
>reconfigures" the ACL, etc... but only ONE place in the entire
>"Configuring Lock-and-Key" IOS 12.2 document (page SC-196) that says
>"The only values replaced in the temporary entry are the source or
>destination address, depending on whether this access list was in the
>input access list or output access list. All other attributes, such as
>port, are ingerited from the main dynamic access list"
>
>Wow....... Two sentences on this..... and even that is vague as to
>which value (source/dest) is replaced on an input or output list (they
>could have even used the word "respectively" at the end of the first
>sentence and it would have been clear). So it would seem that since I
>was using this ACL as an input ACL, it replaced the source address in
my
>dyn ACL entry with the source IP of the packet that
authenticated.....so
>I can only assume that if I was using this as an output ACL it would
>replace the dest addr.
>
>Mike W.
_____
Watch Hallmark. Enjoy cool movies. Win hot prizes!
<http://g.msn.com/8HMMENIN/2755??PS=>
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:53 GMT-3