From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Sun Oct 28 2007 - 12:41:14 ART
Thats true Mohammad, but in Simons' case, telnet traffic would be
subject to the third line in the access-list i.e.
30 permit ip any any (314 matches)
So I don't think this is the problem, secondly one can see that the
use did actually telnet or ssh and authenticate because the dynamic
ACL was inserted. Something else is wrong here...
Regards
Farrukh
On 10/28/07, Mohamed M Moustafa <mmma@gawab.com> wrote:
> Hi Simon,
>
> This is simply because the logic of Lock and Key is that you have to
> explicitly permit telnet to the router first then use the dynamic entry to
> dynamically enable further access:
>
> I don't know what specifically you are trying to do with the below
> configuration, but here is a simple example that is used to authenticate a
> user before being able to access through the router interface:
>
> username CCIE password CCIE
> username CCIE autocommand access-enable host
>
> interface f0/0
> ip access-group ACCESS in
>
> ip access-list extended ACCESS
> permit tcp any any eq telnet
> dynamic access permit ip any any
>
> vty 0 4
> login local
>
>
> And thus no traffic is accepted from the user until he telnets to the
> router and trigger the dynamic entry.
>
> I hope that i've been informative for you.
>
> HTH,
> Mohammed Mahmoud.
>
>
>
>
> Simon Grace <SimonG@pcsystems.gr> wrote on 28 Oct 2007, 10:32 AM:
> Subject: Lock and Key ACL
> >Hi All,
> >
> >
> >
> >I'm having a slight problem trying to use dynamic ACL's in a lock and
> >key situation.
> >
> >As far as I can see everything is configured correctly and the dynamic
> >acl is being inserted okay but when I try to telnet
> >
> >On port 3389 the dynamic ACL entry is skipped and the deny statement is
> >matched
> >
> >
> >
> >Any ideas?
> >
> >
> >
> >*************************************
> >
> >
> >
> >CONFIG:
> >
> >
> >
> >username RDP password 0 CISCO
> >
> >
> >
> >interface Vlan41
> >
> > ip access-group REMOTE-DESKTOP in
> >
> >
> >
> >ip access-list extended REMOTE-DESKTOP
> >
> > dynamic RDP permit tcp any host 164.1.7.100 eq 3389
> >
> > deny tcp any host 164.1.7.100 eq 3389 log
> >
> > permit ip any any
> >
> >
> >
> >line vty 0 4
> >
> > password cisco
> >
> > login local
> >
> > autocommand ACCESS-ENABLE HOST TIMEOUT 10
> >
> >
> >
> >****************************************
> >
> >
> >
> >AFTER TELNETING TO THE DEVICE WITH THE DYNAMIC ACL
> >
> >AND AUTHENTICATING CORRECTLY
> >
> >
> >
> >SHOW IP ACCESS:
> >
> >
> >
> >Extended IP access list REMOTE-DESKTOP
> >
> > 10 Dynamic RDP permit tcp any host 164.1.7.100 eq 3389
> >
> >---------THE DYNAMIC ACL IS BUILT
> >
> > 10 permit tcp host 150.1.4.4 host 164.1.7.100 eq 3389
> >
> >---------
> >
> > 20 deny tcp any host 164.1.7.100 eq 3389 log (1 match)
> >
> > 30 permit ip any any (314 matches)
> >
> >
> >
> >AFTER TRYING TO TELNET TO 164.1.7.100 ON PORT 3389
> >
> >I CAN SEE FROM THE LOGS THAT THE DYNAMIC ACL DOESN'T TAKE EFFECT
> >
> >AND THE TRAFFIC IS STOPPED BY THE SEQUENCE 20 LINE
> >
> >
> >
> >20:49:56: %SEC-6-IPACCESSLOGP: list REMOTE-DESKTOP denied tcp
> >150.1.4.4(62889) -> 164.1.7.100(3389), 1 packet
> >
> >
> >
> >Thanks
> >
> >
> >
> >Simon.
> >
> >_______________________________________________________________________
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
> >
>
> ---------------------------------------------
> Free POP3 Email from www.Gawab.com
> Sign up NOW and get your account @gawab.com!!
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:19 ART