From: Simon Grace (SimonG@pcsystems.gr)
Date: Sun Oct 28 2007 - 05:32:20 ART
Hi All,
I'm having a slight problem trying to use dynamic ACL's in a lock and
key situation.
As far as I can see everything is configured correctly and the dynamic
acl is being inserted okay but when I try to telnet
On port 3389 the dynamic ACL entry is skipped and the deny statement is
matched
Any ideas?
*************************************
CONFIG:
username RDP password 0 CISCO
interface Vlan41
ip access-group REMOTE-DESKTOP in
ip access-list extended REMOTE-DESKTOP
dynamic RDP permit tcp any host 164.1.7.100 eq 3389
deny tcp any host 164.1.7.100 eq 3389 log
permit ip any any
line vty 0 4
password cisco
login local
autocommand ACCESS-ENABLE HOST TIMEOUT 10
****************************************
AFTER TELNETING TO THE DEVICE WITH THE DYNAMIC ACL
AND AUTHENTICATING CORRECTLY
SHOW IP ACCESS:
Extended IP access list REMOTE-DESKTOP
10 Dynamic RDP permit tcp any host 164.1.7.100 eq 3389
---------THE DYNAMIC ACL IS BUILT
10 permit tcp host 150.1.4.4 host 164.1.7.100 eq 3389
---------
20 deny tcp any host 164.1.7.100 eq 3389 log (1 match)
30 permit ip any any (314 matches)
AFTER TRYING TO TELNET TO 164.1.7.100 ON PORT 3389
I CAN SEE FROM THE LOGS THAT THE DYNAMIC ACL DOESN'T TAKE EFFECT
AND THE TRAFFIC IS STOPPED BY THE SEQUENCE 20 LINE
20:49:56: %SEC-6-IPACCESSLOGP: list REMOTE-DESKTOP denied tcp
150.1.4.4(62889) -> 164.1.7.100(3389), 1 packet
Thanks
Simon.
This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:18 ART