Re: Lock and Key ACL

From: Gary Duncanson (gary.duncanson@googlemail.com)
Date: Sun Oct 28 2007 - 10:38:11 ART

• Next message: Rajesh CN: "CCIE Lab exam date in Bangalore"
• Previous message: Rajesh CN: "CCIE Lab exam Bangalore"
• Maybe in reply to: Simon Grace: "Lock and Key ACL"
• Next in thread: Gary Duncanson: "Re: Lock and Key ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Simon,

Not played with these much. I notice you have no log on the end of the first
line of your access list.

I found this example on CCO that you might want to update with your
specifics and try out.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scflock.htm#wp1001177

interface ethernet0
 ip address 172.18.23.9 255.255.255.0
 ip access-group 101 in
access-list 101 permit tcp any host 172.18.21.2 eq telnet
access-list 101 dynamic mytestlist timeout 120 permit ip any any
line vty 0
login local
autocommand access-enable timeout RgdsGary
----- Original Message -----
From: "Simon Grace" <SimonG@pcsystems.gr>
To: <ccielab@groupstudy.com>
Sent: Sunday, October 28, 2007 8:32 AM
Subject: Lock and Key ACL

> Hi All,
>
>
>
> I'm having a slight problem trying to use dynamic ACL's in a lock and
> key situation.
>
> As far as I can see everything is configured correctly and the dynamic
> acl is being inserted okay but when I try to telnet
>
> On port 3389 the dynamic ACL entry is skipped and the deny statement is
> matched
>
>
>
> Any ideas?
>
>
>
> *************************************
>
>
>
> CONFIG:
>
>
>
> username RDP password 0 CISCO
>
>
>
> interface Vlan41
>
> ip access-group REMOTE-DESKTOP in
>
>
>
> ip access-list extended REMOTE-DESKTOP
>
> dynamic RDP permit tcp any host 164.1.7.100 eq 3389
>
> deny tcp any host 164.1.7.100 eq 3389 log
>
> permit ip any any
>
>
>
> line vty 0 4
>
> password cisco
>
> login local
>
> autocommand ACCESS-ENABLE HOST TIMEOUT 10
>
>
>
> ****************************************
>
>
>
> AFTER TELNETING TO THE DEVICE WITH THE DYNAMIC ACL
>
> AND AUTHENTICATING CORRECTLY
>
>
>
> SHOW IP ACCESS:
>
>
>
> Extended IP access list REMOTE-DESKTOP
>
> 10 Dynamic RDP permit tcp any host 164.1.7.100 eq 3389
>
> ---------THE DYNAMIC ACL IS BUILT
>
> 10 permit tcp host 150.1.4.4 host 164.1.7.100 eq 3389
>
> ---------
>
> 20 deny tcp any host 164.1.7.100 eq 3389 log (1 match)
>
> 30 permit ip any any (314 matches)
>
>
>
> AFTER TRYING TO TELNET TO 164.1.7.100 ON PORT 3389
>
> I CAN SEE FROM THE LOGS THAT THE DYNAMIC ACL DOESN'T TAKE EFFECT
>
> AND THE TRAFFIC IS STOPPED BY THE SEQUENCE 20 LINE
>
>
>
> 20:49:56: %SEC-6-IPACCESSLOGP: list REMOTE-DESKTOP denied tcp
> 150.1.4.4(62889) -> 164.1.7.100(3389), 1 packet
>
>
>
> Thanks
>
>
>
> Simon.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Rajesh CN: "CCIE Lab exam date in Bangalore"
• Previous message: Rajesh CN: "CCIE Lab exam Bangalore"
• Maybe in reply to: Simon Grace: "Lock and Key ACL"
• Next in thread: Gary Duncanson: "Re: Lock and Key ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:18 ART