From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Tue Aug 23 2005 - 18:10:52 GMT-3
Also here is the documentation for the two timeout values:
access-enable - timeout minutes
(Optional) Specifies an idle timeout for the temporary access list entry. If the access list entry is not accessed within this period, it is automatically deleted and requires the user to authenticate again. The default is for the entries to remain permanently.
access-list access-list-number [dynamic dynamic-name [timeout minutes]]
(Optional) Specifies the absolute length of time, in minutes, that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently.
HTH,
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Brian Dennis
Sent: Tuesday, August 23, 2005 2:02 PM
To: Schulz, Dave; Hictor Fernandez; ccielab@groupstudy.com
Subject: RE: Dynamic access-list and lock and key issue
Dave,
First off we don't know what timeout value you added so we can't tell if you are trying to telnet before the timeout expired ;-) Secondly there are two timeout values that can be used, one in the access-list itself and the other on the end of the access-enable command.
HTH,
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: Schulz, Dave [mailto:DSchulz@dpsciences.com]
Sent: Tuesday, August 23, 2005 1:20 PM
To: Brian Dennis; Hictor Fernandez; ccielab@groupstudy.com
Subject: RE: Dynamic access-list and lock and key issue
Brian -
It appears that I have everything correct....I even added the timeout to the configuration (as per the documentation). However, I still get this message....
List#100-mytest already contains this IP address pair
Dave Schulz
-----Original Message-----
From: Brian Dennis [mailto:bdennis@internetworkexpert.com]
Sent: Tuesday, August 23, 2005 3:31 PM
To: Schulz, Dave; Hictor Fernandez; ccielab@groupstudy.com
Subject: RE: Dynamic access-list and lock and key issue
The "show sessions" command will not show the session. The "show sessions" commend shows the sessions that you have open. Do a "show access-list" to see if the dynamic entry is active.
Here is an example:
Rack4R2#telnet 1.1.1.1
Trying 1.1.1.1 ... Open
User Access Verification
Password:
[Connection to 1.1.1.1 closed by foreign host]
Rack4R2#
Rack4AS>1
[Resuming connection 1 to r1 ... ]
*
Rack4R1#sho access-list
Extended IP access list 100
10 permit tcp any any eq telnet (26 matches)
20 Dynamic LOCK_KEY permit icmp any any echo
permit icmp host 1.1.1.2 any echo
30 deny ip any any (36 matches)
Rack4R1#
Rack4R1#clear access-template 100 LOCK_KEY host 1.1.1.2 any
Rack4R1#sho access-list
Extended IP access list 100
10 permit tcp any any eq telnet (26 matches)
20 Dynamic LOCK_KEY permit icmp any any echo
30 deny ip any any (66 matches)
Rack4R1#
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Schulz, Dave
Sent: Tuesday, August 23, 2005 10:08 AM
To: Hictor Fernandez; ccielab@groupstudy.com
Subject: RE: Dynamic access-list and lock and key issue
That is the strange part....show session doesn't show any open sessions. Yet, it appears that it is being held open (somewhere).
Dave Schulz, CCDP, CCNP, CCSP
Project Manager / TAC Supervisor
Data Processing Sciences Corporation
10810 Kenwood Road
Cincinnati, Ohio 45242
Phone - (513) 791-7100 ext.7411
Fax - (513) 791-4676
Email: dschulz@dpsciences.com
-----Original Message-----
From: Hictor Fernandez [mailto:gnakh@telefonica.net]
Sent: Tuesday, August 23, 2005 11:58 AM
To: Schulz, Dave; ccielab@groupstudy.com
Subject: Re: Dynamic access-list and lock and key issue
Try show session and kill the one you had before...
I think that'll work
Hictor
----- Original Message -----
From: "Schulz, Dave" <DSchulz@dpsciences.com>
To: <ccielab@groupstudy.com>
Sent: Tuesday, August 23, 2005 5:42 PM
Subject: Dynamic access-list and lock and key issue
> Group -
>
> Working with dynamic access-lists and lock and key, I am having an issue
> with getting this to work properly.
>
> Here is my config on R1:
>
> Interface Loopback0
> Ip address 10.10.10.10 255.255.255.0
> !
> interface Serial0
> description Connection to S0 on R2
> ip address 192.168.2.1 255.255.255.0
> ip access-group 100 in
> no fair-queue
> clockrate 64000
> !
> router ospf 1
> log-adjacency-changes
> network 10.10.10.10 0.0.0.0 area 0
> network 192.168.2.0 0.0.0.255 area 0
> network 192.168.3.0 0.0.0.255 area 1
> !
> access-list 100 permit ospf any any
> access-list 100 permit tcp any any eq telnet
> access-list 100 dynamic mytest permit ip any any
> !
>
> R2 is connected to the serial port of R1. When I initiate a telnet to
> the loopback address of R1....I get the following.....
>
> R2#10.10.10.10
> Trying 10.10.10.10 ... Open
>
>
> User Access Verification
>
> Username: cisco
> Password:
> List#100-mytest already contains this IP address pair
> [Connection to 10.10.10.10 closed by foreign host]
>
> Furthermore, when I do a show access-list on R1, I get the following:
>
> R1#sh ip access
> Extended IP access list 100
> permit ospf any any (21 matches)
> permit tcp any any eq telnet (96 matches)
> Dynamic mytest permit ip any any
> permit ip any any
>
>
> So, where the connection that it says is already established. I even
> tried to bounce the interfaces and can't seem to clear the mytest list.
> Thoughts?
>
> Dave
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:20 GMT-3