Re: dynamic access-lists problem

From: Rich Collins (nilsi2002@gmail.com)
Date: Mon Oct 08 2007 - 22:13:04 ART

• Next message: Eric Leung: "Re: no ip route-caceh cef"
• Previous message: Joseph Brunner: "RE: Call manager server running very slow --- please help"
• Maybe in reply to: George Goglidze: "dynamic access-lists problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Concerning "backup" telnet access try something similar to this:

You can still telnet to the higher port number 3001 (depends on the
hardware) through the rotary on vty 5.

-Rich

line vty 0 4

  login local

  logging synchronous

  autocommand access-enable host timeout 5

  transport input telnet

!

line vty 5

  login local

  logging synchronous

  rotary 1

On 10/6/07, George Goglidze <goglidze@gmail.com> wrote:
>
> Hi all,
>
> I have one question regarding dynamic access-lists.
>
> I have:
>
> [Router R4]
> s2/0 = FR 4
>
> [router R2]
> s2/0 = FR 2
>
> [router R5]
> s2/1 = FR 5
>
> [router R6]
> s2/0 = FR 6
>
> [FRSW FR]
> 2:204 = 4:402
> 2:205 = 5:502
> 2:2-6 = 6:602
>
> config:
> R4:
>
> interface Serial2/0
> ip address 150.50.24.4 255.255.255.0
> encapsulation frame-relay
> no arp frame-relay
> frame-relay map ip 150.50.24.2 402 broadcast
> frame-relay map ip 150.50.24.4 402
> no frame-relay inverse-arp
>
> ip route 150.50.100.0 255.255.255.192 150.50.24.2
>
> R5:
>
> interface Serial2/1
> ip address 150.50.100.5 255.255.255.224
> encapsulation frame-relay
> no arp frame-relay
> frame-relay map ip 150.50.100.2 502 broadcast
> frame-relay map ip 150.50.100.5 502
> frame-relay map ip 150.50.100.6 502
> no frame-relay inverse-arp
>
> ip route 150.50.24.0 255.255.255.0 150.50.100.2
>
> R6:
>
> interface Serial2/0
> ip address 150.50.100.6 255.255.255.224
> encapsulation frame-relay
> no arp frame-relay
> frame-relay map ip 150.50.100.2 602 broadcast
> frame-relay map ip 150.50.100.5 602
> frame-relay map ip 150.50.100.6 602
> no frame-relay inverse-arp
>
> ip route 150.50.24.0 255.255.255.0 150.50.100.2
>
> R2:
>
> interface Serial2/0
> no ip address
> encapsulation frame-relay
> no arp frame-relay
> no frame-relay inverse-arp
>
> interface Serial2/0.1 multipoint
> ip address 150.50.100.2 255.255.255.224
> ip access-group 101 in
> frame-relay map ip 150.50.100.2 206
> frame-relay map ip 150.50.100.5 205 broadcast
> frame-relay map ip 150.50.100.6 206 broadcast
>
> interface Serial2/0.204 point-to-point
> ip address 150.50.24.2 255.255.255.0
> frame-relay interface-dlci 204
>
> access-list 101 permit tcp any any eq telnet
> access-list 101 dynamic dyn_acl timeout 2 permit ip host 150.50.100.5 any
>
> username cisco password cisco
>
> line vty 0 4
> login local
> autocommand access-enable timeout 1
>
> ----------------------------------------------------------
>
> from R5 everything works fine.
>
> R5#telnet 150.50.100.2
> Trying 150.50.100.2 ... Open
>
> User Access Verification
>
> Username: cisco
> Password:
> [Connection to 150.50.100.2 closed by foreign host]
> R5#
> R5#ping 150.50.24.4
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 150.50.24.4, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 12/27/32 ms
>
>
> on R2 I have following:
>
> R2# sh access-list
> Extended IP access list 101
> 10 permit tcp any any eq telnet (75 matches)
> 20 Dynamic dyn_acl permit ip host 150.50.100.5 any
> permit ip host 150.50.100.5 any (5 matches) (time left 56)
>
>
> but when I do the same from R6 I have problems:
>
> R6#telnet 150.50.100.2
> Trying 150.50.100.2 ... Open
>
>
> User Access Verification
>
> Username: cisco
> Password:
> [Connection to 150.50.100.2 closed by foreign host]
> R6#ping 150.50.24.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 150.50.24.2, timeout is 2 seconds:
> U.U.U
> Success rate is 0 percent (0/5)
>
>
>
> and on R2 I have following:
>
> R2# sh access-list
> Extended IP access list 101
> 10 permit tcp any any eq telnet (144 matches)
> 20 Dynamic dyn_acl permit ip host 150.50.100.5 any
> permit ip host 150.50.100.6 any
> permit ip host 150.50.100.5 any (5 matches) (time left 44)
>
> As we can appreciate, dynamic ACL is created, "permit ip host
> 150.50.100.6any", but it does not match.
> does anybody know what could the problem be????
>
>
> and I have another question. now I have all vty ports with autocommand.
> how
> do I access the router now over telnet?
> is there a way to get inside? apart from console?
>
> Thanks,
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Eric Leung: "Re: no ip route-caceh cef"
• Previous message: Joseph Brunner: "RE: Call manager server running very slow --- please help"
• Maybe in reply to: George Goglidze: "dynamic access-lists problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:12 ART