From: Mike Williams (ccie2be@swbell.net)
Date: Sat Jun 07 2003 - 13:26:28 GMT-3
Okay.......... After seeing YOUR post I decided try some things out
myself as well =)
Here's what I found.....
A) If you specify 'any' as the source IP in the dyn ACL entry, then it
doesn't matter if you use the 'host' keyword on the autocommand, as the
dyn ACL entry created when someone authenticates will be "any" as well.
Any host can spawn the dyn ACL entry by authenticating, then that or ANY
host can use the "hole" created by the dyn ACL entry.
B) If you specify a specific IP (host IP) as the source in the dyn ACL
entry, and you DO use the 'host' keyword, then only that specific source
IP address will be able to spawn the dynamic ACL entry and actually use
it.
C) If you specify a specific IP (host IP) as the source in the dny ACL
entry, and you DO NOT use the 'host' keyword, then any host can spawn
the dyn ACL entry, but they will also be the only IP address allowed to
use it.
So it would appear, that using the 'host' keyword has the effect of
actually only allowing the host mentioned as the source in the dyn ACL
entry to create the dyn ACL entry by authenticating, whereas not using
'host' allows any single IP address to authenticate to created the
entry, but then only that specific IP can use the hole created. Lastly,
using 'any' for the source allows any host to create, and afterwards,
any host to use the hole regardless of if the 'host' keyword is
specified.
Does this line up with what you found?
Mike W.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
kasturi cisco
Sent: Friday, June 06, 2003 8:20 PM
To: ccie2be@swbell.net; ccielab@groupstudy.com
Cc: kasturi_cisco@hotmail.com
Subject: RE: Strange quirk in Dynamic ACLs?!?! Interesting Resuls !
Mike/Group,
Ur mail made me go thru the Dynamic ACL and just see what was happening.
I find some interesting results. Looks to me at outset the code u have
may be buggy ( i could be wrong). I tried the same setup u have,maybe IP
addresses are different. Here is what i have found.I am using 12.1(5)T
code on all routers. they are 2500's.
My setup : |-------------------
R5--------serial----------R9-----153.1.12.9
| e0: 100.1.1.1
|Devices:
100.1.1.2, 100.1.1.3,100.1.1.4
Case 1. When i tried with the following ACL on R5:
access-list 110 permit tcp any host 100.1.1.1 eq telnet access-list 110
dynamic test permit tcp any 153.1.0.0 0.0.255.255 eq telnet
- I got all the devices to telnet one by one after authentication as
expected.
Case 2. When i tried with following ACL on R5 ( specific host
100.1.1.2) access-list 110 permit tcp any host 100.1.1.1 eq telnet
access-list 110 dynamic test permit tcp host 100.1.1.2 153.1.0.0
0.0.255.255 eq telnet
- I got an error message as follows:
R4#telnet 100.1.1.1
Trying 100.1.1.1 ... Open
User Access Verification
Username: cisco
Password:
Source 100.1.1.3 is not in mask(100.1.1.2, 0.0.0.0) in the ACL
[Connection to 100.1.1.1 closed by foreign host] and it would not allow
me to telnet.
R4#telnet 153.1.200.9
Trying 153.1.200.9 ...
% Destination unreachable; gateway or host down
Case 3: When i tried following on R5 ( no access-enable host only
access-enable)
R5#show access-lists
Extended IP access list 110
permit tcp any host 100.1.1.1 eq telnet
Dynamic test permit tcp any 153.1.0.0 0.0.255.255 eq telnet deny icmp
any any
- I get an error message as in last line
R5#
R5#
termsver#telnet 100.1.1.1
Trying 100.1.1.1 ... Open
User Access Verification
Username: cisco
Password:
Line has invalid autocommand "access-enable"
[Connection to 100.1.1.1 closed by foreign host]
termsver#
Let me know. So it looks like the Dynamic ACL works as expected.
Good Luck,
Kasturi.
------------------------------------------------------------------------
They're big & powerful. The macho mean machines! SUVs are here to stay!
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:54 GMT-3