From: Simon Grace (SimonG@pcsystems.gr)
Date: Sun Oct 28 2007 - 14:27:30 ART
All,
Well I'm none the wiser...
I've been doing another lab today and after I finished I tried it again.
ANNNNNDDDDD
Everything worked fine.
The only difference was the first time the dynamic acl was configured on
a switch ????
It was very strange, I could see the dynamic acl entry created but when
I tried to telnet on tcp 3389 instead of getting matched by the dynamic
acl the traffic skipped that line and got denied by the deny statement
afterwards.
I have no idea, at least I've got it working...maybe a bug, who knows.
Thanks for all the input, appreciate it.
Cheers,
Simon
-----Original Message-----
From: Gary Duncanson [mailto:gary.duncanson@googlemail.com]
Sent: Sunday, October 28, 2007 3:38 PM
To: Simon Grace
Cc: ccielab@groupstudy.com
Subject: Re: Lock and Key ACL
Simon,
Not played with these much. I notice you have no log on the end of the
first
line of your access list.
I found this example on CCO that you might want to update with your
specifics and try out.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
fsecur_c/ftrafwl/scflock.htm#wp1001177
interface ethernet0
ip address 172.18.23.9 255.255.255.0
ip access-group 101 in
access-list 101 permit tcp any host 172.18.21.2 eq telnet
access-list 101 dynamic mytestlist timeout 120 permit ip any any
line vty 0
login local
autocommand access-enable timeout RgdsGary
----- Original Message -----
From: "Simon Grace" <SimonG@pcsystems.gr>
To: <ccielab@groupstudy.com>
Sent: Sunday, October 28, 2007 8:32 AM
Subject: Lock and Key ACL
> Hi All,
>
>
>
> I'm having a slight problem trying to use dynamic ACL's in a lock and
> key situation.
>
> As far as I can see everything is configured correctly and the dynamic
> acl is being inserted okay but when I try to telnet
>
> On port 3389 the dynamic ACL entry is skipped and the deny statement
is
> matched
>
>
>
> Any ideas?
>
>
>
> *************************************
>
>
>
> CONFIG:
>
>
>
> username RDP password 0 CISCO
>
>
>
> interface Vlan41
>
> ip access-group REMOTE-DESKTOP in
>
>
>
> ip access-list extended REMOTE-DESKTOP
>
> dynamic RDP permit tcp any host 164.1.7.100 eq 3389
>
> deny tcp any host 164.1.7.100 eq 3389 log
>
> permit ip any any
>
>
>
> line vty 0 4
>
> password cisco
>
> login local
>
> autocommand ACCESS-ENABLE HOST TIMEOUT 10
>
>
>
> ****************************************
>
>
>
> AFTER TELNETING TO THE DEVICE WITH THE DYNAMIC ACL
>
> AND AUTHENTICATING CORRECTLY
>
>
>
> SHOW IP ACCESS:
>
>
>
> Extended IP access list REMOTE-DESKTOP
>
> 10 Dynamic RDP permit tcp any host 164.1.7.100 eq 3389
>
> ---------THE DYNAMIC ACL IS BUILT
>
> 10 permit tcp host 150.1.4.4 host 164.1.7.100 eq 3389
>
> ---------
>
> 20 deny tcp any host 164.1.7.100 eq 3389 log (1 match)
>
> 30 permit ip any any (314 matches)
>
>
>
> AFTER TRYING TO TELNET TO 164.1.7.100 ON PORT 3389
>
> I CAN SEE FROM THE LOGS THAT THE DYNAMIC ACL DOESN'T TAKE EFFECT
>
> AND THE TRAFFIC IS STOPPED BY THE SEQUENCE 20 LINE
>
>
>
> 20:49:56: %SEC-6-IPACCESSLOGP: list REMOTE-DESKTOP denied tcp
> 150.1.4.4(62889) -> 164.1.7.100(3389), 1 packet
>
>
>
> Thanks
>
>
>
> Simon.
>
>
This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:19 ART