Re: dynamic acl question (IE vs. CISCO)

From: Godswill Oletu (oletu@inbox.lv)
Date: Sat Jun 25 2005 - 18:54:46 GMT-3

• Next message: Chris Lewis \(chrlewis\): "RE: classification of voice traffic"
• Previous message: Gene Thorne: "RE: Subnet Question? Help"
• Maybe in reply to: John Matus: "dynamic acl question (IE vs. CISCO)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

John,

Did option 1 worked as desired for you? I am not had time to lab it, but
this is my take on it.....

> access-list extended auto
> dynamic telnet permit tcp host 1.2.3.4 host 150.1.1.1 eq telnet
> deny tcp any any eq telnet
> permit ip any any

The telnet traffic have to be allowed to the R1 for authentication before
the dynamic acl will come into effect. Here, you did not permit the initial
telnet session in for authentication. It also appears that your dynamic acl
is only for telnet traffics before the host and the Router.

 acccess-list extended auto
> pemrit tcp host 1.2.3.4 host 150.1.1.1 eq telnet
> dynamic telnet timeout 120 pemit ip any any

The first permit statement will permit telnet traffic to the router so that
authentication can take place, once that is achieved, the dynamic acl
'telnet' will permit 'any' traffic from 'any' to 'any'

This is the way it had worked for me in the past:

#username r1 password cisco
#autocommand access enable host timeout 5

#pemit tcp host 1.2.3.4 host 150.1.1.1 eq telnet
#dynamic telnet timeout 120 pemit ip any any

# line vty 0 4
 #login local

The question now is? what is the difference if the 'autocommand' command is
placed in the vty line interface or in the configuration mode?

Thanks
Godswill Oletu

----- Original Message -----
From: "John Matus" <john_matus@hotmail.com>
To: <ccielab@groupstudy.com>
Sent: Tuesday, June 21, 2005 7:14 PM
Subject: dynamic acl question (IE vs. CISCO)

> i'm a bit confused about the "proper" way to configure a dynamic
> acl.........i've ready the "cisco" way and seen the "IE" way but am
confused
> about which way to go.........
>
> let's say that i want to allow one telnet host into R1......i've seen 2
ways
> to do it
>
> R1 (iIE WAY)
> user r1 password cisco
>
> line vty 0 4
> login local
> autocommand access enable host timeout 5
>
> access-list extended auto
> dynamic telent permit tcp host 1.2.3.4 host 150.1.1.1 eq telnet
> deny tcp any any eq telnet
> permit ip any any
>
> r1 (CISCO WAY)
> user r1 password cisco
>
> line vty 0 4
> login local
> autocommand access enable host timeout 5
>
> acccess-list extended auto
> pemrit tcp host 1.2.3.4 host 150.1.1.1 eq telnet
> dynamic telnet timeout 120 pemit ip any any
>
> what is the functional difference between the two?
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar  get it now!
> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Chris Lewis \(chrlewis\): "RE: classification of voice traffic"
• Previous message: Gene Thorne: "RE: Subnet Question? Help"
• Maybe in reply to: John Matus: "dynamic acl question (IE vs. CISCO)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:44 GMT-3