GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: IWEB-RS/Internetwork Expert LAB 6 9.2 posted 10/16/2006
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


You need to clear the "access template" when you want to retest your
configuration.  The error message is referring to the fact the dynamic
ACL entry already exists.

To remove a dynamic ACL entry you will need to use the "clear
access-template" command.  The options in the "clear access-template"
command need to match what is in the dynamic ACL.  The "?" doesn't give
you the help you would expect with the "clear access-template" command.
Remember to just type a command out if you think the option should take
even if it doesn't show up with the "?".  This is just one of the many
commands that do not show up properly or some at all with the "?".

Here is an example of how to clear a dynamic ACL: 
  
Rack4R1#sho access-list 
Extended IP access list 100 
    10 permit tcp any any eq telnet (26 matches) 
    20 Dynamic LOCK_KEY permit icmp any any echo 
       permit icmp host 1.1.1.2 any echo 
    30 deny ip any any (36 matches) 
Rack4R1# 
Rack4R1#clear access-template 100 LOCK_KEY host 1.1.1.2 any    
Rack4R1#sho access-list                                             
Extended IP access list 100 
    10 permit tcp any any eq telnet (26 matches) 
    20 Dynamic LOCK_KEY permit icmp any any echo 
    30 deny ip any any (66 matches) 
Rack4R1#

HTH,
 
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security) 
bdennis@xxxxxxxxxxxxxxxxxxxxxx 
 
Internetwork Expert, Inc. 
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada) 

 
-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
trevelle@xxxxxxxxxx
Sent: Sunday, October 15, 2006 6:24 PM
To: ccielab@xxxxxxxxxxxxxx
Subject: IWEB-RS/Internetwork Expert LAB 6 9.2 

Lab 6 exercise 9.2 traffic filtering states that users must authenticate
through router 2 before they can access sw1. I am able to access sw1
after entering the following commands. Can someone please tell me what
am I missing? Any suggestions will be greatly appreciated. 

This is the error that I recieve when I try and login as TELNET:

Username: TELNET
Password:
List#DYNAMIC-PERMIT_TELNET already contains this IP address pair
[Connection to 150.1.2.2 closed by foreign host]

R2
username CLI password 0 CISCO
username TELNET password 0 CISCO
username TELNET autocommand access-enable timeout 5




ip access-list extended DYNAMIC
 dynamic PERMIT_TELNET permit tcp any any eq telnet
 deny   tcp any host 191.1.27.7 eq telnet
 deny   tcp any host 191.1.7.7 eq telnet
 deny   tcp any host 191.1.77.7 eq telnet
 deny   tcp any host 191.1.177.7 eq telnet
 deny   tcp any host 150.1.7.7 eq telnet
 permit ip any any
username TELNET autocommand access-enable timeout 5


interface Serial0/1
 ip address 191.1.23.2 255.255.255.0
 ip access-group DYNAMIC in

interface Serial0/0
 ip address 191.1.125.2 255.255.255.0
 ip access-group DYNAMIC in
 password cisco
 


line vty 0 4
login local

_______________________________________________________________________
Subscription information may be found at: 
http://www.groupstudy.com/list/CCIELab.html