Re: Problem with Dynamic ACL

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Fri Mar 23 2007 - 17:46:28 ART

• Next message: maureen schaar: "Re: Challenge"
• Previous message: Bit Gossip: "Re: fr-inarp for IPv6"
• Maybe in reply to: Ma, Zifang: "Problem with Dynamic ACL"
• Next in thread: Ma, Zifang: "RE: Problem with Dynamic ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Are you using the access-enable command with the host option?

-- 
Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
bdennis@internetworkexpert.com
 
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
On 3/23/07 12:57 PM, "Ma, Zifang" <zifang.ma@eds.com> wrote:
> Hi group
> 
> I was doing a little experiment with dynamic ACL listed in a book.
> 
> The strange thing is after authentication, the dynamic part loaded into
> the ACL was different from what I configured. I tried a couple of times
> all the same result. You can see the following screen capture, the
> configured tempaccess is supposed to source from host 150.1.1.1 but
> after authentication it became host 195.1.1.10 which is the source IP of
> the authentication. Is that a software bug or the book is wrong? Could
> anyone help?
> 
> Thanks
> 
> Router#sh ip access 100
> Extended IP access list 100
>     Dynamic tempaccess permit tcp host 150.1.1.1 host 152.1.1.1 eq
> telnet log
>     permit tcp any host 195.1.1.4 eq telnet log
> Router#
> 
> ============================================================
> Authentication occurred and succeeded
> ============================================================
> 
> 09:43:52: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 195.1.1.10(11027)
> -> 195.1
> .1.4(23), 1 packet
> Router#
> 09:43:57: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 195.1.1.10(11027)
> -> 195.1
> .1.4(23), 18 packets
> Router#sh ip access 100
> Extended IP access list 100
>     Dynamic tempaccess permit tcp host 150.1.1.1 host 152.1.1.1 eq
> telnet log  <<=====should be from 150.1.1.1
>       permit tcp host 195.1.1.10 host 152.1.1.1 eq telnet log
> <<===== Wrong!!! Now from 195.1.1.10
>     permit tcp any host 195.1.1.4 eq telnet log (21 matches)
> Router#sh ver
> Cisco Internetwork Operating System Software
> IOS (tm) 7200 Software (C7200-IK2S-M), Version 12.1(14)E2, EARLY
> DEPLOYMENT RELE
> ASE SOFTWARE (fc1)
> TAC Support: http://www.cisco.com/tac
> Copyright (c) 1986-2003 by cisco Systems, Inc.
> Compiled Thu 27-Feb-03 00:57 by hqluong
> Image text-base: 0x60008C08, data-base: 0x614A0000
> 
> ROM: System Bootstrap, Version 11.1(13)CA, EARLY DEPLOYMENT RELEASE
> SOFTWARE (fc
> 1)
> BOOTLDR: 7200 Software (C7200-BOOT-M), Version 11.3(2)AA, EARLY
> DEPLOYMENT, RELE
> ASE SOFTWARE (fc1)
> 
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: maureen schaar: "Re: Challenge"
• Previous message: Bit Gossip: "Re: fr-inarp for IPv6"
• Maybe in reply to: Ma, Zifang: "Problem with Dynamic ACL"
• Next in thread: Ma, Zifang: "RE: Problem with Dynamic ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:52 ART