RE: Strange quirk in Dynamic ACLs?!?! Interesting Resuls !

From: kasturi cisco (kasturi_cisco@hotmail.com)
Date: Fri Jun 06 2003 - 22:19:52 GMT-3

• Next message: kasturi cisco: "Nat Problem over FRelay ?"
• Previous message: Daniel Cisco Group Study: "RE: Show ip ospf database router self-originate"
• Next in thread: Mike Williams: "RE: Strange quirk in Dynamic ACLs?!?! Interesting Resuls !"
• Maybe reply: Mike Williams: "RE: Strange quirk in Dynamic ACLs?!?! Interesting Resuls !"
• Maybe reply: kasturi cisco: "RE: Strange quirk in Dynamic ACLs?!?! Interesting Resuls !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Mike/Group,

Ur mail made me go thru the Dynamic ACL and just see what was happening.
I find some interesting results. Looks to me at outset the code u have
may be buggy ( i could be wrong). I tried the same setup u have,maybe IP
addresses are different. Here is what i have found.I am using 12.1(5)T
code on all routers. they are 2500's.

My setup : |-------------------
R5--------serial----------R9-----153.1.12.9
| e0: 100.1.1.1
|Devices:
100.1.1.2, 100.1.1.3,100.1.1.4

Case 1. When i tried with the following ACL on R5:
access-list 110 permit tcp any host 100.1.1.1 eq telnet
access-list 110 dynamic test permit tcp any 153.1.0.0 0.0.255.255 eq
telnet

- I got all the devices to telnet one by one after authentication as
expected.

Case 2. When i tried with following ACL on R5 ( specific host 100.1.1.2)
access-list 110 permit tcp any host 100.1.1.1 eq telnet
access-list 110 dynamic test permit tcp host 100.1.1.2 153.1.0.0
0.0.255.255 eq telnet

- I got an error message as follows:
R4#telnet 100.1.1.1
Trying 100.1.1.1 ... Open
User Access Verification
Username: cisco
Password:
Source 100.1.1.3 is not in mask(100.1.1.2, 0.0.0.0) in the ACL
[Connection to 100.1.1.1 closed by foreign host] and it would not allow
me to telnet.

R4#telnet 153.1.200.9
Trying 153.1.200.9 ...
% Destination unreachable; gateway or host down

Case 3: When i tried following on R5 ( no access-enable host only
access-enable)
R5#show access-lists
Extended IP access list 110
permit tcp any host 100.1.1.1 eq telnet
Dynamic test permit tcp any 153.1.0.0 0.0.255.255 eq telnet
deny icmp any any

- I get an error message as in last line
R5#
R5#
termsver#telnet 100.1.1.1
Trying 100.1.1.1 ... Open
User Access Verification
Username: cisco
Password:
Line has invalid autocommand "access-enable"
[Connection to 100.1.1.1 closed by foreign host]
termsver#

Let me know. So it looks like the Dynamic ACL works as expected.

Good Luck,
Kasturi.

------------------------------------------------------------------------

They're big & powerful. The macho mean machines! SUVs are here to stay!

• Next message: kasturi cisco: "Nat Problem over FRelay ?"
• Previous message: Daniel Cisco Group Study: "RE: Show ip ospf database router self-originate"
• Next in thread: Mike Williams: "RE: Strange quirk in Dynamic ACLs?!?! Interesting Resuls !"
• Maybe reply: Mike Williams: "RE: Strange quirk in Dynamic ACLs?!?! Interesting Resuls !"
• Maybe reply: kasturi cisco: "RE: Strange quirk in Dynamic ACLs?!?! Interesting Resuls !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:54 GMT-3