From: CCIE3000 (ccie3000@googlemail.com)
Date: Wed Sep 10 2008 - 03:45:11 ART
I've only skim read this so I may be talking utter bull but I seem to
remember that you get a similar message if you telnet to a device activate
the Dynamic ACL (successfully) and then try and do the same thing again
(especially when you are using the host key word).
First check that the dynamic acl isn't actually active
Second try doing the same thing from another router.
On Wed, Sep 10, 2008 at 2:39 AM, Mohamed Tandou <dtandou@gmail.com> wrote:
> Hi Hobbs,
> i reconfigured my ACL using the config below. i am still getting the same
> result.
>
> Mohamed
>
> ip access-list extended INBOUND
> permit ospf any any
> permit tcp any any eq bgp
> permit tcp any eq bgp any
> permit tcp any any eq telnet
> dynamic ACCESS timeout 10 permit ip any any
> deny ip any any
>
> On Tue, Sep 9, 2008 at 6:31 PM, Hobbs <deadheadblues@gmail.com> wrote:
>
> > Plus you are already allowing telnet to ANY device with " access-list 101
> > permit tcp any any eq telnet" The point of lock and key is to DENY it
> before
> > you allow it once authenticated.
> >
> > Your first statement should only allow telnet to the local router:
> >
> > access-list 101 permit tcp any 192.168.25.6 eq telnet
> > access-list 101 dynamic ACCESS timeout 10 permit ip any any
> > access-list 101 deny ip any any
> >
> > Also, make sure you allow your routing protocols to somewhere in there.
> >
> > hth
> >
> >
> > On Tue, Sep 9, 2008 at 1:45 PM, Luca Hall <lhall@setnine.com> wrote:
> >
> >> you should either remove acl 101's third line or change it
> >> to deny. that error means that the dynamic acl has already
> >> added the 'permit ip any any' so it wont add it again.
> >> just fix your acl 101 and clear the dynamic entry and it
> >> will go away.
> >>
> >>
> >>
> >>
> >> ----- Original Message -----
> >> From: Mohamed Tandou <dtandou@gmail.com>
> >> To: ccielab@groupstudy.com
> >> Sent: Tue, 9 Sep 2008 15:38:36 -0400 (EDT)
> >> Subject: Lock and Key
> >>
> >> Hello GS,
> >> i am trying to test Lock and Key and it is not working
> >> I have 3 routers on the same Lan. R4, R5 and R1.
> >> R4 and R6 are using frame-relay
> >> I configured Lock and Key on R4 when i telnet from R6 i am getting the
> >> following errors message below. Any comment ?
> >>
> >> Mohamed
> >>
> >> R4
> >> username DYNACL password 0 CISCO
> >> username DYNACL autocommand access-enable host timeout 5
> >> interface FastEthernet0
> >> ip address 192.168.25.6 255.255.255.0
> >> ip access-group 101 in
> >> speed auto
> >>
> >> access-list 101 permit tcp any any eq telnet
> >> access-list 101 dynamic ACCESS timeout 10 permit ip any any
> >> access-list 101 permit ip any any
> >>
> >> line vty 0 4
> >> exec-timeout 30 0
> >> login local
> >>
> >>
> >> R5#telnet 192.168.25.6
> >> Trying 192.168.25.6 ... Open
> >>
> >> User Access Verification
> >> Username: DYNACL
> >> Password:
> >> % List#101-MYCISCO already contains this IP address pair
> >> [Connection to 11.11.25.6 closed by foreign host]
> >> R5#
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:17 ART