From: Gerry Hilton (gerry.hilton@rogers.com)
Date: Fri Jul 23 2004 - 11:36:50 GMT-3
Hi. The temporary entry which will be created from your access list is
permit ip any any as it is what is specified on the line with dynamic:
access-list 101 dynamic mytest timeout 120 permit ip any any
Thus, that is where you should put what you want for the temporary
acces-list
For example,
access-list 101 dynamic mytest timeout 120 permit ip host 10.10.10.2 any
where 10.10.10.2 is the address of your PC.
Gerry
Phil wrote:
>Hi group,
>
>Has anybody tried to play with lock and key?
>
>I have the configuration below but when I telnet to the router to
>authenticate, instead of having an opening in the access-list
>permiting from my PC's IP address to any I get a an opening permiting
>any any which allow any other hosts in the subnet to have full access.
>I tried a couple of different IOS version and get the same result
>12.1.1 and 12.3.1 are 2 I remember.
>
>Thanks,
>
>Phil
>===========================
>rlab_2621c#wr t
>Building configuration...
>
>Current configuration : 2215 bytes
>!
>version 12.3
>service timestamps debug uptime
>service timestamps log uptime
>no service password-encryption
>!
>hostname rlab_2621c
>!
>username phil password 0 test
>ip subnet-zero
>!
>ip dhcp excluded-address 172.16.34.33
>ip dhcp excluded-address 172.16.34.65
>ip dhcp excluded-address 172.16.34.34
>ip dhcp excluded-address 172.16.34.66
>!
>ip dhcp pool vlan432
> network 172.16.34.32 255.255.255.240
> default-router 172.16.34.33
> dns-server 10.128.1.25
>!
>ip dhcp pool vlan464
> network 172.16.34.64 255.255.255.240
> default-router 172.16.34.65
> dns-server 10.128.1.25
>!
>ip audit notify log
>ip audit po max-events 100
>!
>interface FastEthernet0/0
> no ip address
> speed 100
> full-duplex
>!
>interface FastEthernet0/0.1
> encapsulation isl 416
> ip address 172.16.34.17 255.255.255.240
> ip access-group 101 in
> no ip redirects
>!
>interface FastEthernet0/0.2
> encapsulation isl 464
> ip address 172.16.34.65 255.255.255.240
> ip access-group 101 in
> no ip redirects
>!
>interface FastEthernet0/0.3
> encapsulation isl 432
> ip address 172.16.34.33 255.255.255.240
> ip access-group 101 in
> no ip redirects
>!
>interface BRI0/0
> no ip address
> shutdown
>!
>interface FastEthernet0/1
> ip address 172.16.34.1 255.255.255.248
> speed 100
> full-duplex
>!
>router eigrp 65500
> network 172.16.0.0
> no auto-summary
>!
>no ip http server
>no ip http secure-server
>ip classless
>ip route 0.0.0.0 0.0.0.0 172.16.30.3
>!
>!
>access-list 101 dynamic mytest timeout 120 permit ip any any
>access-list 101 permit tcp any host 172.16.34.17 eq telnet
>access-list 101 permit tcp any host 172.16.34.65 eq telnet
>access-list 101 permit tcp any host 172.16.34.33 eq telnet
>access-list 101 permit udp any any eq bootpc
>access-list 101 permit udp any any eq bootps
>!
>line con 0
> password cisco
>line aux 0
>line vty 0 4
> password cisco
> login local
> autocommand access-enable timeout 5
>!
>end
>
>rlab_2621c#
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:12:01 GMT-3