From: Guyler, Rik (rguyler@shp-dayton.org)
Date: Mon Oct 29 2007 - 10:27:10 ART
It was a shot in the dark and I was too lazy to verify the compatibility
myself. Certainly if it's in the IE lab then it's compatible. Darn
switches... ;-)
According to IE's website, the switch code they use on their 3560s is
c3560-advipservicesk9-mz.122-25.SEE2.
Rik
-----Original Message-----
From: Simon Grace [mailto:SimonG@pcsystems.gr]
Sent: Monday, October 29, 2007 9:07 AM
To: Guyler, Rik; Gary Duncanson; ccielab@groupstudy.com
Subject: RE: Lock and Key ACL
Hi Rik,
Going by the solution of the IE labs (10) then the config was on the switch.
I was using a 3560.
Maybe the version of IOS was incompatible??
That's the weird thing, it looked like it was working as the dynamic acl
worked.
I'm thinking that it's got something to do with the way the packets are
switched through the device but that's a real guess?
Same config when using two routers was fine.
Cheers,
Simon.
-----Original Message-----
From: Guyler, Rik [mailto:rguyler@shp-dayton.org]
Sent: Monday, October 29, 2007 2:54 PM
To: Simon Grace; Gary Duncanson; ccielab@groupstudy.com
Subject: RE: Lock and Key ACL
Simon, are you sure the switch (assuming a 3550/3560) supports lock and key?
I haven't looked it up but I know RACLs aren't generally supported on the
lower switch models even though you can config it and it *appears* to work
to some degree.
If you know for sure it's supported then ignore my reply but your experience
with this sounds very much like mine although it's not an apples-apples
comparison.
Rik
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Simon Grace
Sent: Sunday, October 28, 2007 1:28 PM
To: Gary Duncanson; ccielab@groupstudy.com
Subject: RE: Lock and Key ACL
All,
Well I'm none the wiser...
I've been doing another lab today and after I finished I tried it again.
ANNNNNDDDDD
Everything worked fine.
The only difference was the first time the dynamic acl was configured on a
switch ????
It was very strange, I could see the dynamic acl entry created but when I
tried to telnet on tcp 3389 instead of getting matched by the dynamic acl
the traffic skipped that line and got denied by the deny statement
afterwards.
I have no idea, at least I've got it working...maybe a bug, who knows.
Thanks for all the input, appreciate it.
Cheers,
Simon
-----Original Message-----
From: Gary Duncanson [mailto:gary.duncanson@googlemail.com]
Sent: Sunday, October 28, 2007 3:38 PM
To: Simon Grace
Cc: ccielab@groupstudy.com
Subject: Re: Lock and Key ACL
Simon,
Not played with these much. I notice you have no log on the end of the first
line of your access list.
I found this example on CCO that you might want to update with your
specifics and try out.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
fsecur_c/ftrafwl/scflock.htm#wp1001177
interface ethernet0
ip address 172.18.23.9 255.255.255.0
ip access-group 101 in
access-list 101 permit tcp any host 172.18.21.2 eq telnet access-list
101
dynamic mytestlist timeout 120 permit ip any any line vty 0 login local
autocommand access-enable timeout RgdsGary
----- Original Message -----
From: "Simon Grace" <SimonG@pcsystems.gr>
To: <ccielab@groupstudy.com>
Sent: Sunday, October 28, 2007 8:32 AM
Subject: Lock and Key ACL
> Hi All,
>
>
>
> I'm having a slight problem trying to use dynamic ACL's in a lock and
> key situation.
>
> As far as I can see everything is configured correctly and the dynamic
> acl is being inserted okay but when I try to telnet
>
> On port 3389 the dynamic ACL entry is skipped and the deny statement
is
> matched
>
>
>
> Any ideas?
>
>
>
> *************************************
>
>
>
> CONFIG:
>
>
>
> username RDP password 0 CISCO
>
>
>
> interface Vlan41
>
> ip access-group REMOTE-DESKTOP in
>
>
>
> ip access-list extended REMOTE-DESKTOP
>
> dynamic RDP permit tcp any host 164.1.7.100 eq 3389
>
> deny tcp any host 164.1.7.100 eq 3389 log
>
> permit ip any any
>
>
>
> line vty 0 4
>
> password cisco
>
> login local
>
> autocommand ACCESS-ENABLE HOST TIMEOUT 10
>
>
>
> ****************************************
>
>
>
> AFTER TELNETING TO THE DEVICE WITH THE DYNAMIC ACL
>
> AND AUTHENTICATING CORRECTLY
>
>
>
> SHOW IP ACCESS:
>
>
>
> Extended IP access list REMOTE-DESKTOP
>
> 10 Dynamic RDP permit tcp any host 164.1.7.100 eq 3389
>
> ---------THE DYNAMIC ACL IS BUILT
>
> 10 permit tcp host 150.1.4.4 host 164.1.7.100 eq 3389
>
> ---------
>
> 20 deny tcp any host 164.1.7.100 eq 3389 log (1 match)
>
> 30 permit ip any any (314 matches)
>
>
>
> AFTER TRYING TO TELNET TO 164.1.7.100 ON PORT 3389
>
> I CAN SEE FROM THE LOGS THAT THE DYNAMIC ACL DOESN'T TAKE EFFECT
>
> AND THE TRAFFIC IS STOPPED BY THE SEQUENCE 20 LINE
>
>
>
> 20:49:56: %SEC-6-IPACCESSLOGP: list REMOTE-DESKTOP denied tcp
> 150.1.4.4(62889) -> 164.1.7.100(3389), 1 packet
>
>
>
> Thanks
>
>
>
> Simon.
>
>
This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:19 ART