From: Dan C (cdan2154@gmail.com)
Date: Sat Aug 30 2008 - 10:53:39 ART
Hi Gaurav,
Try to have your setup from simple to complex first..... just plain telnet
to all your vty lines... First you need to telnet from R4 to R1 ....
authenticate and then telnet to R5... I keep this template handy:
Create usernmae and autocommand access-enable, setup acl, login local under
vty, apply acl to incoming interface"
1.
username CC password 0 cisco
username CC autocommand access-enable
2.
ip access-list extended LOCK
permit tcp host 2.2.66.8 host 2.2.66.6 eq telnet
dynamic TEST1 timeout 1 permit tcp any any eq telnet
deny tcp any any eq telnet
permit ip any any
Apply ACL to interface inbound
3.
line vty 0 4
privilege level 15
logging synchronous
login local
4.
ip access-group LOCK in
CHECK CONFIG:
Extended IP access list LOCK
10 permit tcp host 2.2.66.8 host 2.2.66.6 eq telnet
20 Dynamic TEST1 permit tcp any any eq telnet
30 deny tcp any any eq telnet (219 matches)
40 permit ip any any (376 matches)
VERIFY:
SW2#telnet 2.2.66.6
Trying 2.2.66.6 ... Open
User Access Verification
Username: CC
Password:
[Connection to 2.2.66.6 closed by foreign host] >>>>>>>>> Setup works
SW2#telnet 2.2.4.4
Trying 2.2.4.4 ... Open
R4#exit
HTH,
Dan
On Sat, Aug 30, 2008 at 11:16 PM, GAURAV MADAN <gauravmadan1177@gmail.com>wrote:
> Hi Friends
>
> Dynamic ACL is something that troubles me all the time whenever i get
> the question on same .
> PLease help me understanding the concept .
>
> I labbed the following scenario
>
> R4
> \
> \
> \
> R1
> /
> /
> /
> R5
>
> I want if from R4 ; I telnet to 150.1.1.1 (R1 loopback ) on line 3023
> ; it should land me in R1
> However if I do simple telnet 150.1.1.1 ; it should land me on R5
> I am using login local ( username CISCO password CISCO )
>
> R1
> *****
> Rack1R1(config)#do sh ip access-li
> Extended IP access list 101
> 10 permit tcp any any eq telnet
> 20 permit tcp any any eq 3023 (8 matches)
>
> Extended IP access list TELNET
> 10 Dynamic 10 permit tcp any any eq telnet
> permit tcp any any eq telnet (26 matches) (time left 287)
> 20 deny tcp any host 150.1.5.5 eq telnet
> 30 permit ip any any (68 matches)
>
> line vty 0 1
> password cisco
> login local
> autocommand access-enable timeout 5
> line vty 2 4
> access-class 101 in
> password cisco
> login local
> rotary 23
> !
> int s0/1/0.1
> ip access-group TELNET in
> !
> ================ 1st requirement works fine =================
> Rack1R4#telnet 150.1.1.1 3023
> Trying 150.1.1.1, 3023 ... Open
>
>
> User Access Verification
>
> Username: CISCO
> Password:
> Rack1R1>
> ================= 2nd requirement dont work ==================
>
> Rack1R4#telnet 150.1.1.1
> Trying 150.1.1.1 ... Open
>
>
> User Access Verification
>
> Username: CISCO
> Password:
> [Connection to 150.1.1.1 closed by foreign host]
> Rack1R4#telnet 150.1.1.1
> Trying 150.1.1.1 ... Open
>
>
> User Access Verification
>
> Username: CISCO
> Password:
> % List#TELNET-10 already contains this IP address pair
> [Connection to 150.1.1.1 closed by foreign host]
> Rack1R4#
>
> ================================================
>
> Please guide me in this context
>
> Thnx
> Gaurav Madan.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:33 ART