RE: Problem with Dynamic ACL

From: Ma, Zifang (zifang.ma@eds.com)
Date: Fri Mar 23 2007 - 20:30:15 ART

Yes the commands are pretty "standard" .

username cisco password 0 cisco
username cisco autocommand access-enable timeout 10

access-list 100 dynamic tempaccess permit tcp host 150.1.1.1 host
152.1.1.1 eq telnet log
access-list 100 permit tcp any host 195.1.1.4 eq telnet log

!
line vty 0 4
login local
!
int s0/1
ip access-group 100 in
!

-----Original Message-----
From: Brian Dennis [mailto:bdennis@internetworkexpert.com]
Sent: Saturday, 24 March 2007 8:46 a.m.
To: Ma, Zifang; ccielab@groupstudy.com
Subject: Re: Problem with Dynamic ACL

Are you using the access-enable command with the host option? 

-- 

Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
bdennis@internetworkexpert.com
 
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

On 3/23/07 12:57 PM, "Ma, Zifang" <zifang.ma@eds.com> wrote:

> Hi group
> 
> I was doing a little experiment with dynamic ACL listed in a book.
> 
> The strange thing is after authentication, the dynamic part loaded 
> into the ACL was different from what I configured. I tried a couple of

> times all the same result. You can see the following screen capture, 
> the configured tempaccess is supposed to source from host 150.1.1.1 
> but after authentication it became host 195.1.1.10 which is the source

> IP of the authentication. Is that a software bug or the book is wrong?

> Could anyone help?
> 
> Thanks
> 
> Router#sh ip access 100
> Extended IP access list 100
>     Dynamic tempaccess permit tcp host 150.1.1.1 host 152.1.1.1 eq 
> telnet log
>     permit tcp any host 195.1.1.4 eq telnet log Router#
> 
> ============================================================
> Authentication occurred and succeeded
> ============================================================
> 
> 09:43:52: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 
> 195.1.1.10(11027)
> -> 195.1
> .1.4(23), 1 packet
> Router#
> 09:43:57: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 
> 195.1.1.10(11027)
> -> 195.1
> .1.4(23), 18 packets
> Router#sh ip access 100
> Extended IP access list 100
>     Dynamic tempaccess permit tcp host 150.1.1.1 host 152.1.1.1 eq 
> telnet log  <<=====should be from 150.1.1.1
>       permit tcp host 195.1.1.10 host 152.1.1.1 eq telnet log <<===== 
> Wrong!!! Now from 195.1.1.10
>     permit tcp any host 195.1.1.4 eq telnet log (21 matches) Router#sh

> ver Cisco Internetwork Operating System Software IOS (tm) 7200 
> Software (C7200-IK2S-M), Version 12.1(14)E2, EARLY DEPLOYMENT RELE ASE

> SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 
> 1986-2003 by cisco Systems, Inc.
> Compiled Thu 27-Feb-03 00:57 by hqluong Image text-base: 0x60008C08, 
> data-base: 0x614A0000
> 
> ROM: System Bootstrap, Version 11.1(13)CA, EARLY DEPLOYMENT RELEASE 
> SOFTWARE (fc
> 1)
> BOOTLDR: 7200 Software (C7200-BOOT-M), Version 11.3(2)AA, EARLY 
> DEPLOYMENT, RELE ASE SOFTWARE (fc1)
> 
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:52 ART