Re: Lock and Key ACL

From: Gary Duncanson (gary.duncanson@googlemail.com)
Date: Sun Oct 28 2007 - 10:54:40 ART

• Next message: Allan: "Re: Certification"
• Previous message: Rajesh CN: "CCIE Lab exam date in Bangalore"
• Maybe in reply to: Simon Grace: "Lock and Key ACL"
• Next in thread: Mohamed M Moustafa: "Re: Lock and Key ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Simon,

You might need a regular line permitting access to 3389 before you have the
dynamic ACL line.

HTH
Gary
----- Original Message -----
From: "Simon Grace" <SimonG@pcsystems.gr>
To: <ccielab@groupstudy.com>
Sent: Sunday, October 28, 2007 8:32 AM
Subject: Lock and Key ACL

> Hi All,
>
>
>
> I'm having a slight problem trying to use dynamic ACL's in a lock and
> key situation.
>
> As far as I can see everything is configured correctly and the dynamic
> acl is being inserted okay but when I try to telnet
>
> On port 3389 the dynamic ACL entry is skipped and the deny statement is
> matched
>
>
>
> Any ideas?
>
>
>
> *************************************
>
>
>
> CONFIG:
>
>
>
> username RDP password 0 CISCO
>
>
>
> interface Vlan41
>
> ip access-group REMOTE-DESKTOP in
>
>
>
> ip access-list extended REMOTE-DESKTOP
>
> dynamic RDP permit tcp any host 164.1.7.100 eq 3389
>
> deny tcp any host 164.1.7.100 eq 3389 log
>
> permit ip any any
>
>
>
> line vty 0 4
>
> password cisco
>
> login local
>
> autocommand ACCESS-ENABLE HOST TIMEOUT 10
>
>
>
> ****************************************
>
>
>
> AFTER TELNETING TO THE DEVICE WITH THE DYNAMIC ACL
>
> AND AUTHENTICATING CORRECTLY
>
>
>
> SHOW IP ACCESS:
>
>
>
> Extended IP access list REMOTE-DESKTOP
>
> 10 Dynamic RDP permit tcp any host 164.1.7.100 eq 3389
>
> ---------THE DYNAMIC ACL IS BUILT
>
> 10 permit tcp host 150.1.4.4 host 164.1.7.100 eq 3389
>
> ---------
>
> 20 deny tcp any host 164.1.7.100 eq 3389 log (1 match)
>
> 30 permit ip any any (314 matches)
>
>
>
> AFTER TRYING TO TELNET TO 164.1.7.100 ON PORT 3389
>
> I CAN SEE FROM THE LOGS THAT THE DYNAMIC ACL DOESN'T TAKE EFFECT
>
> AND THE TRAFFIC IS STOPPED BY THE SEQUENCE 20 LINE
>
>
>
> 20:49:56: %SEC-6-IPACCESSLOGP: list REMOTE-DESKTOP denied tcp
> 150.1.4.4(62889) -> 164.1.7.100(3389), 1 packet
>
>
>
> Thanks
>
>
>
> Simon.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Allan: "Re: Certification"
• Previous message: Rajesh CN: "CCIE Lab exam date in Bangalore"
• Maybe in reply to: Simon Grace: "Lock and Key ACL"
• Next in thread: Mohamed M Moustafa: "Re: Lock and Key ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:18 ART