Re: Problem with Dynamic ACL

From: Edison Ortiz (edisonmortiz@gmail.com)
Date: Fri Mar 23 2007 - 22:25:57 ART

As Brian stated you need the host option on the access-enable command

On 3/23/07, Ma, Zifang <zifang.ma@eds.com> wrote:
> Yes the commands are pretty "standard" .
>
> username cisco password 0 cisco
> username cisco autocommand access-enable timeout 10
>
> access-list 100 dynamic tempaccess permit tcp host 150.1.1.1 host
> 152.1.1.1 eq telnet log
> access-list 100 permit tcp any host 195.1.1.4 eq telnet log
>
> !
> line vty 0 4
> login local
> !
> int s0/1
> ip access-group 100 in
> !
>
> -----Original Message-----
> From: Brian Dennis [mailto:bdennis@internetworkexpert.com]
> Sent: Saturday, 24 March 2007 8:46 a.m.
> To: Ma, Zifang; ccielab@groupstudy.com
> Subject: Re: Problem with Dynamic ACL
>
> Are you using the access-enable command with the host option?
>
> --
>
> Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
> On 3/23/07 12:57 PM, "Ma, Zifang" <zifang.ma@eds.com> wrote:
>
> > Hi group
> >
> > I was doing a little experiment with dynamic ACL listed in a book.
> >
> > The strange thing is after authentication, the dynamic part loaded
> > into the ACL was different from what I configured. I tried a couple of
>
> > times all the same result. You can see the following screen capture,
> > the configured tempaccess is supposed to source from host 150.1.1.1
> > but after authentication it became host 195.1.1.10 which is the source
>
> > IP of the authentication. Is that a software bug or the book is wrong?
>
> > Could anyone help?
> >
> > Thanks
> >
> > Router#sh ip access 100
> > Extended IP access list 100
> > Dynamic tempaccess permit tcp host 150.1.1.1 host 152.1.1.1 eq
> > telnet log
> > permit tcp any host 195.1.1.4 eq telnet log Router#
> >
> > ============================================================
> > Authentication occurred and succeeded
> > ============================================================
> >
> > 09:43:52: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
> > 195.1.1.10(11027)
> > -> 195.1
> > .1.4(23), 1 packet
> > Router#
> > 09:43:57: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
> > 195.1.1.10(11027)
> > -> 195.1
> > .1.4(23), 18 packets
> > Router#sh ip access 100
> > Extended IP access list 100
> > Dynamic tempaccess permit tcp host 150.1.1.1 host 152.1.1.1 eq
> > telnet log <<=====should be from 150.1.1.1
> > permit tcp host 195.1.1.10 host 152.1.1.1 eq telnet log <<=====
> > Wrong!!! Now from 195.1.1.10
> > permit tcp any host 195.1.1.4 eq telnet log (21 matches) Router#sh
>
> > ver Cisco Internetwork Operating System Software IOS (tm) 7200
> > Software (C7200-IK2S-M), Version 12.1(14)E2, EARLY DEPLOYMENT RELE ASE
>
> > SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c)
> > 1986-2003 by cisco Systems, Inc.
> > Compiled Thu 27-Feb-03 00:57 by hqluong Image text-base: 0x60008C08,
> > data-base: 0x614A0000
> >
> > ROM: System Bootstrap, Version 11.1(13)CA, EARLY DEPLOYMENT RELEASE
> > SOFTWARE (fc
> > 1)
> > BOOTLDR: 7200 Software (C7200-BOOT-M), Version 11.3(2)AA, EARLY
> > DEPLOYMENT, RELE ASE SOFTWARE (fc1)
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:52 ART