From: Ma, Zifang (zifang.ma@eds.com)
Date: Fri Mar 23 2007 - 16:57:47 ART
Hi group
I was doing a little experiment with dynamic ACL listed in a book.
The strange thing is after authentication, the dynamic part loaded into
the ACL was different from what I configured. I tried a couple of times
all the same result. You can see the following screen capture, the
configured tempaccess is supposed to source from host 150.1.1.1 but
after authentication it became host 195.1.1.10 which is the source IP of
the authentication. Is that a software bug or the book is wrong? Could
anyone help?
Thanks
Router#sh ip access 100
Extended IP access list 100
Dynamic tempaccess permit tcp host 150.1.1.1 host 152.1.1.1 eq
telnet log
permit tcp any host 195.1.1.4 eq telnet log
Router#
============================================================
Authentication occurred and succeeded
============================================================
09:43:52: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 195.1.1.10(11027)
-> 195.1
.1.4(23), 1 packet
Router#
09:43:57: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 195.1.1.10(11027)
-> 195.1
.1.4(23), 18 packets
Router#sh ip access 100
Extended IP access list 100
Dynamic tempaccess permit tcp host 150.1.1.1 host 152.1.1.1 eq
telnet log <<=====should be from 150.1.1.1
permit tcp host 195.1.1.10 host 152.1.1.1 eq telnet log
<<===== Wrong!!! Now from 195.1.1.10
permit tcp any host 195.1.1.4 eq telnet log (21 matches)
Router#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-IK2S-M), Version 12.1(14)E2, EARLY
DEPLOYMENT RELE
ASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 27-Feb-03 00:57 by hqluong
Image text-base: 0x60008C08, data-base: 0x614A0000
ROM: System Bootstrap, Version 11.1(13)CA, EARLY DEPLOYMENT RELEASE
SOFTWARE (fc
1)
BOOTLDR: 7200 Software (C7200-BOOT-M), Version 11.3(2)AA, EARLY
DEPLOYMENT, RELE
ASE SOFTWARE (fc1)
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:52 ART