Re: Lock and Key (Dynamic Access LIsts)

From: Tim Fletcher (groupstudy@fletchmail.net)
Date: Wed Jan 07 2004 - 13:34:00 GMT-3

• Next message: John Gibbs: "RE: Router blew a gasket"
• Previous message: Alexander Arsenyev (GU/ETL): "RE: Directed Broadcast Forwarding"
• Maybe in reply to: ccie2be: "Lock and Key (Dynamic Access LIsts)"
• Next in thread: Kimberly Whittaker: "Re: Lock and Key (Dynamic Access LIsts)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yes it should. Permitting IP includes ICMP. I've only ever done lock and
key with the autocommand on the username, not on the line. I would try
removing the autocommand all together. You can just telnet in and run the
access-enable command manually. At that point, you should be able to see
the dynamic entry when you do a sh access-list.

-Tim Fletcher

At 10:16 AM 1/7/2004 -0500, ccie2be wrote:
>Hi Tim,
>
>Thanks for getting back to me.
>
>To answer your question, yes, the ping is going into S2.
>
>I would think that my dynamic acl entry would allow pings since it allows
>all ip packets to subnet 172.16.136.0. Would you agree?
>
>dt
>----- Original Message -----
>From: "Tim Fletcher" <groupstudy@fletchmail.net>
>To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study" <ccielab@groupstudy.com>
>Sent: Tuesday, January 06, 2004 7:52 PM
>Subject: Re: Lock and Key (Dynamic Access LIsts)
>
>
> > At 06:14 PM 1/6/04, ccie2be wrote:
> > >Hi guys,
> > >
> > >I'm having problems getting this to work properly and I have 2 questions
>about
> > >this.
> > >
> > >1) When using local authentication, does the name in the username xxxx
> > >password yyyy need to match the name in the dynamic access list entry?
>If it
> > >does, doesn't that create problems in that everyone must use the same
>name
> > >password combo? ( I understand that only 1 dynamic entry should be used
>when
> > >creating dynamic access lists.)
> >
> > No, it does not have to match.
> >
> >
> > >2) Does the dynamic access list have to explicitly permit icmp in order
>for
> > >ping to work?
> > >
> > >I have the following config:
> > >
> > >username test password ccie
> > >
> > >int s2
> > >ip addr x.x.x.x m.m.m.m
> > >ip access-group 100 in
> > >
> > >access-list 100 permit tcp any host 172.16.32.3 eq telnet
> > >access-list 100 dynamic test permit ip any 172.16.136.0 0.0.0.255
> > >
> > >line vty 0 4
> > >password cisco
> > >login local
> > >autocommand access-enable timeout 3
> > >
> > >What happens is this. when I telnet to the ip addr above, I get
>challenged to
> > >enter a name and password and then I get (as I should) a message like
>"session
> > >closed by foreign host". But, then when I try to ping a host on subnet
> > >172.16.136.0, I get U.U.U
> > >
> > >Shouldn't I be able to ping with the above config?
> >
> > Is your connection coming into S2?
> >
> >
> > >Thanks in advanced, dt
> > >
> > >_______________________________________________________________________
> > >Please help support GroupStudy by purchasing your study materials from:
> > >http://shop.groupstudy.com
> > >
> > >Subscription information may be found at:
> > >http://www.groupstudy.com/list/CCIELab.html

• Next message: John Gibbs: "RE: Router blew a gasket"
• Previous message: Alexander Arsenyev (GU/ETL): "RE: Directed Broadcast Forwarding"
• Maybe in reply to: ccie2be: "Lock and Key (Dynamic Access LIsts)"
• Next in thread: Kimberly Whittaker: "Re: Lock and Key (Dynamic Access LIsts)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:37 GMT-3