From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Tue Aug 23 2005 - 18:12:56 GMT-3
Gottcha. I added both to try to get it to work.....
Autocommand access-enable timeout 5
On the vty line....
As well as the a timeout of 120 on the dynamic access-list.
Very strange.
Dave Schulz
-----Original Message-----
From: Brian Dennis [mailto:bdennis@internetworkexpert.com]
Sent: Tuesday, August 23, 2005 5:02 PM
To: Schulz, Dave; Hictor Fernandez; ccielab@groupstudy.com
Subject: RE: Dynamic access-list and lock and key issue
Dave,
First off we don't know what timeout value you added so we can't tell if you are trying to telnet before the timeout expired ;-) Secondly there are two timeout values that can be used, one in the access-list itself and the other on the end of the access-enable command.
HTH,
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: Schulz, Dave [mailto:DSchulz@dpsciences.com]
Sent: Tuesday, August 23, 2005 1:20 PM
To: Brian Dennis; Hictor Fernandez; ccielab@groupstudy.com
Subject: RE: Dynamic access-list and lock and key issue
Brian -
It appears that I have everything correct....I even added the timeout to the configuration (as per the documentation). However, I still get this message....
List#100-mytest already contains this IP address pair
Dave Schulz
-----Original Message-----
From: Brian Dennis [mailto:bdennis@internetworkexpert.com]
Sent: Tuesday, August 23, 2005 3:31 PM
To: Schulz, Dave; Hictor Fernandez; ccielab@groupstudy.com
Subject: RE: Dynamic access-list and lock and key issue
The "show sessions" command will not show the session. The "show sessions" commend shows the sessions that you have open. Do a "show access-list" to see if the dynamic entry is active.
Here is an example:
Rack4R2#telnet 1.1.1.1
Trying 1.1.1.1 ... Open
User Access Verification
Password:
[Connection to 1.1.1.1 closed by foreign host]
Rack4R2#
Rack4AS>1
[Resuming connection 1 to r1 ... ]
*
Rack4R1#sho access-list
Extended IP access list 100
10 permit tcp any any eq telnet (26 matches)
20 Dynamic LOCK_KEY permit icmp any any echo
permit icmp host 1.1.1.2 any echo
30 deny ip any any (36 matches)
Rack4R1#
Rack4R1#clear access-template 100 LOCK_KEY host 1.1.1.2 any
Rack4R1#sho access-list
Extended IP access list 100
10 permit tcp any any eq telnet (26 matches)
20 Dynamic LOCK_KEY permit icmp any any echo
30 deny ip any any (66 matches)
Rack4R1#
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Schulz, Dave
Sent: Tuesday, August 23, 2005 10:08 AM
To: Hictor Fernandez; ccielab@groupstudy.com
Subject: RE: Dynamic access-list and lock and key issue
That is the strange part....show session doesn't show any open sessions. Yet, it appears that it is being held open (somewhere).
Dave Schulz, CCDP, CCNP, CCSP
Project Manager / TAC Supervisor
Data Processing Sciences Corporation
10810 Kenwood Road
Cincinnati, Ohio 45242
Phone - (513) 791-7100 ext.7411
Fax - (513) 791-4676
Email: dschulz@dpsciences.com
-----Original Message-----
From: Hictor Fernandez [mailto:gnakh@telefonica.net]
Sent: Tuesday, August 23, 2005 11:58 AM
To: Schulz, Dave; ccielab@groupstudy.com
Subject: Re: Dynamic access-list and lock and key issue
Try show session and kill the one you had before...
I think that'll work
Hictor
----- Original Message -----
From: "Schulz, Dave" <DSchulz@dpsciences.com>
To: <ccielab@groupstudy.com>
Sent: Tuesday, August 23, 2005 5:42 PM
Subject: Dynamic access-list and lock and key issue
> Group -
>
> Working with dynamic access-lists and lock and key, I am having an issue
> with getting this to work properly.
>
> Here is my config on R1:
>
> Interface Loopback0
> Ip address 10.10.10.10 255.255.255.0
> !
> interface Serial0
> description Connection to S0 on R2
> ip address 192.168.2.1 255.255.255.0
> ip access-group 100 in
> no fair-queue
> clockrate 64000
> !
> router ospf 1
> log-adjacency-changes
> network 10.10.10.10 0.0.0.0 area 0
> network 192.168.2.0 0.0.0.255 area 0
> network 192.168.3.0 0.0.0.255 area 1
> !
> access-list 100 permit ospf any any
> access-list 100 permit tcp any any eq telnet
> access-list 100 dynamic mytest permit ip any any
> !
>
> R2 is connected to the serial port of R1. When I initiate a telnet to
> the loopback address of R1....I get the following.....
>
> R2#10.10.10.10
> Trying 10.10.10.10 ... Open
>
>
> User Access Verification
>
> Username: cisco
> Password:
> List#100-mytest already contains this IP address pair
> [Connection to 10.10.10.10 closed by foreign host]
>
> Furthermore, when I do a show access-list on R1, I get the following:
>
> R1#sh ip access
> Extended IP access list 100
> permit ospf any any (21 matches)
> permit tcp any any eq telnet (96 matches)
> Dynamic mytest permit ip any any
> permit ip any any
>
>
> So, where the connection that it says is already established. I even
> tried to bounce the interfaces and can't seem to clear the mytest list.
> Thoughts?
>
> Dave
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:20 GMT-3