From: George Goglidze (goglidze@gmail.com)
Date: Sat Oct 06 2007 - 08:08:18 ART
Hi all,
I have one question regarding dynamic access-lists.
I have:
[Router R4]
s2/0 = FR 4
[router R2]
s2/0 = FR 2
[router R5]
s2/1 = FR 5
[router R6]
s2/0 = FR 6
[FRSW FR]
2:204 = 4:402
2:205 = 5:502
2:2-6 = 6:602
config:
R4:
interface Serial2/0
ip address 150.50.24.4 255.255.255.0
encapsulation frame-relay
no arp frame-relay
frame-relay map ip 150.50.24.2 402 broadcast
frame-relay map ip 150.50.24.4 402
no frame-relay inverse-arp
ip route 150.50.100.0 255.255.255.192 150.50.24.2
R5:
interface Serial2/1
ip address 150.50.100.5 255.255.255.224
encapsulation frame-relay
no arp frame-relay
frame-relay map ip 150.50.100.2 502 broadcast
frame-relay map ip 150.50.100.5 502
frame-relay map ip 150.50.100.6 502
no frame-relay inverse-arp
ip route 150.50.24.0 255.255.255.0 150.50.100.2
R6:
interface Serial2/0
ip address 150.50.100.6 255.255.255.224
encapsulation frame-relay
no arp frame-relay
frame-relay map ip 150.50.100.2 602 broadcast
frame-relay map ip 150.50.100.5 602
frame-relay map ip 150.50.100.6 602
no frame-relay inverse-arp
ip route 150.50.24.0 255.255.255.0 150.50.100.2
R2:
interface Serial2/0
no ip address
encapsulation frame-relay
no arp frame-relay
no frame-relay inverse-arp
interface Serial2/0.1 multipoint
ip address 150.50.100.2 255.255.255.224
ip access-group 101 in
frame-relay map ip 150.50.100.2 206
frame-relay map ip 150.50.100.5 205 broadcast
frame-relay map ip 150.50.100.6 206 broadcast
interface Serial2/0.204 point-to-point
ip address 150.50.24.2 255.255.255.0
frame-relay interface-dlci 204
access-list 101 permit tcp any any eq telnet
access-list 101 dynamic dyn_acl timeout 2 permit ip host 150.50.100.5 any
username cisco password cisco
line vty 0 4
login local
autocommand access-enable timeout 1
----------------------------------------------------------
from R5 everything works fine.
R5#telnet 150.50.100.2
Trying 150.50.100.2 ... Open
User Access Verification
Username: cisco
Password:
[Connection to 150.50.100.2 closed by foreign host]
R5#
R5#ping 150.50.24.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.50.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/27/32 ms
on R2 I have following:
R2# sh access-list
Extended IP access list 101
10 permit tcp any any eq telnet (75 matches)
20 Dynamic dyn_acl permit ip host 150.50.100.5 any
permit ip host 150.50.100.5 any (5 matches) (time left 56)
but when I do the same from R6 I have problems:
R6#telnet 150.50.100.2
Trying 150.50.100.2 ... Open
User Access Verification
Username: cisco
Password:
[Connection to 150.50.100.2 closed by foreign host]
R6#ping 150.50.24.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.50.24.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
and on R2 I have following:
R2# sh access-list
Extended IP access list 101
10 permit tcp any any eq telnet (144 matches)
20 Dynamic dyn_acl permit ip host 150.50.100.5 any
permit ip host 150.50.100.6 any
permit ip host 150.50.100.5 any (5 matches) (time left 44)
As we can appreciate, dynamic ACL is created, "permit ip host
150.50.100.6any", but it does not match.
does anybody know what could the problem be????
and I have another question. now I have all vty ports with autocommand. how
do I access the router now over telnet?
is there a way to get inside? apart from console?
Thanks,
This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:12 ART