RE: Lock and Key ACL

From: Mohamed M Moustafa (mmma@gawab.com)
Date: Mon Oct 29 2007 - 10:27:20 ART

• Next message: walkingwithcisco@gmail.com: "Split-Horizon for EIGRP"
• Previous message: faheem abbas: "Need Solution for Internet Access"
• Maybe in reply to: Simon Grace: "Lock and Key ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I second Rik on this, according to Cisco Feature Navigator, Lock and Key is
not supported on either the 3550 or the 3560:

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

BR,
Mohammed Mahmoud.

Guyler, Rik <rguyler@shp-dayton.org> wrote on 29 Oct 2007, 02:53 PM:
Subject: RE: Lock and Key ACL
>Simon, are you sure the switch (assuming a 3550/3560) supports lock and
>key?
>I haven't looked it up but I know RACLs aren't generally supported on the
>lower switch models even though you can config it and it *appears* to work
>to some degree.
>
>If you know for sure it's supported then ignore my reply but your
>experience
>with this sounds very much like mine although it's not an apples-apples
>comparison.
>
>Rik
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Simon Grace
>Sent: Sunday, October 28, 2007 1:28 PM
>To: Gary Duncanson; ccielab@groupstudy.com
>Subject: RE: Lock and Key ACL
>
>All,
>
>Well I'm none the wiser...
>
>I've been doing another lab today and after I finished I tried it again.
>
>
>ANNNNNDDDDD
>
>
>Everything worked fine.
>
>The only difference was the first time the dynamic acl was configured on a
>switch ????
>
>It was very strange, I could see the dynamic acl entry created but when I
>tried to telnet on tcp 3389 instead of getting matched by the dynamic acl
>the traffic skipped that line and got denied by the deny statement
>afterwards.
>
>I have no idea, at least I've got it working...maybe a bug, who knows.
>
>Thanks for all the input, appreciate it.
>
>Cheers,
>
>Simon
>
>-----Original Message-----
>From: Gary Duncanson [mailto:gary.duncanson@googlemail.com]
>Sent: Sunday, October 28, 2007 3:38 PM
>To: Simon Grace
>Cc: ccielab@groupstudy.com
>Subject: Re: Lock and Key ACL
>
>Simon,
>
>Not played with these much. I notice you have no log on the end of the
>first
>line of your access list.
>
>I found this example on CCO that you might want to update with your
>specifics and try out.
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
>fsecur_c/ftrafwl/scflock.htm#wp1001177
>
>interface ethernet0
> ip address 172.18.23.9 255.255.255.0
> ip access-group 101 in
>access-list 101 permit tcp any host 172.18.21.2 eq telnet access-list 101
>dynamic mytestlist timeout 120 permit ip any any line vty 0 login local
>autocommand access-enable timeout RgdsGary
>----- Original Message -----
>From: "Simon Grace" <SimonG@pcsystems.gr>
>To: <ccielab@groupstudy.com>
>Sent: Sunday, October 28, 2007 8:32 AM
>Subject: Lock and Key ACL
>
>
>> Hi All,
>>
>>
>>
>> I'm having a slight problem trying to use dynamic ACL's in a lock and
>> key situation.
>>
>> As far as I can see everything is configured correctly and the dynamic
>> acl is being inserted okay but when I try to telnet
>>
>> On port 3389 the dynamic ACL entry is skipped and the deny statement
>is
>> matched
>>
>>
>>
>> Any ideas?
>>
>>
>>
>> *************************************
>>
>>
>>
>> CONFIG:
>>
>>
>>
>> username RDP password 0 CISCO
>>
>>
>>
>> interface Vlan41
>>
>> ip access-group REMOTE-DESKTOP in
>>
>>
>>
>> ip access-list extended REMOTE-DESKTOP
>>
>> dynamic RDP permit tcp any host 164.1.7.100 eq 3389
>>
>> deny tcp any host 164.1.7.100 eq 3389 log
>>
>> permit ip any any
>>
>>
>>
>> line vty 0 4
>>
>> password cisco
>>
>> login local
>>
>> autocommand ACCESS-ENABLE HOST TIMEOUT 10
>>
>>
>>
>> ****************************************
>>
>>
>>
>> AFTER TELNETING TO THE DEVICE WITH THE DYNAMIC ACL
>>
>> AND AUTHENTICATING CORRECTLY
>>
>>
>>
>> SHOW IP ACCESS:
>>
>>
>>
>> Extended IP access list REMOTE-DESKTOP
>>
>> 10 Dynamic RDP permit tcp any host 164.1.7.100 eq 3389
>>
>> ---------THE DYNAMIC ACL IS BUILT
>>
>> 10 permit tcp host 150.1.4.4 host 164.1.7.100 eq 3389
>>
>> ---------
>>
>> 20 deny tcp any host 164.1.7.100 eq 3389 log (1 match)
>>
>> 30 permit ip any any (314 matches)
>>
>>
>>
>> AFTER TRYING TO TELNET TO 164.1.7.100 ON PORT 3389
>>
>> I CAN SEE FROM THE LOGS THAT THE DYNAMIC ACL DOESN'T TAKE EFFECT
>>
>> AND THE TRAFFIC IS STOPPED BY THE SEQUENCE 20 LINE
>>
>>
>>
>> 20:49:56: %SEC-6-IPACCESSLOGP: list REMOTE-DESKTOP denied tcp
>> 150.1.4.4(62889) -> 164.1.7.100(3389), 1 packet
>>
>>
>>
>> Thanks
>>
>>
>>
>> Simon.
>>
>>
>_______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>

---------------------------------------------
Free POP3 Email from www.Gawab.com
Sign up NOW and get your account @gawab.com!!

• Next message: walkingwithcisco@gmail.com: "Split-Horizon for EIGRP"
• Previous message: faheem abbas: "Need Solution for Internet Access"
• Maybe in reply to: Simon Grace: "Lock and Key ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:19 ART