GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: dynamic access-lists problem posted 10/08/2007
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Concerning "backup" telnet access try something similar to this:

You can still telnet to the higher port number 3001 (depends on the
hardware) through the rotary on vty 5.

-Rich


line vty 0 4

  login local

  logging synchronous

  autocommand access-enable host timeout 5

  transport input telnet

!

line vty 5

  login local

  logging synchronous

  rotary 1



On 10/6/07, George Goglidze <goglidze@xxxxxxxxx> wrote:
>
> Hi all,
>
> I have one question regarding dynamic access-lists.
>
> I have:
>
> [Router R4]
> s2/0 = FR 4
>
> [router R2]
> s2/0 = FR 2
>
> [router R5]
> s2/1 = FR 5
>
> [router R6]
> s2/0 = FR 6
>
> [FRSW FR]
> 2:204 = 4:402
> 2:205 = 5:502
> 2:2-6 = 6:602
>
> config:
> R4:
>
> interface Serial2/0
> ip address 150.50.24.4 255.255.255.0
> encapsulation frame-relay
> no arp frame-relay
> frame-relay map ip 150.50.24.2 402 broadcast
> frame-relay map ip 150.50.24.4 402
> no frame-relay inverse-arp
>
> ip route 150.50.100.0 255.255.255.192 150.50.24.2
>
> R5:
>
> interface Serial2/1
> ip address 150.50.100.5 255.255.255.224
> encapsulation frame-relay
> no arp frame-relay
> frame-relay map ip 150.50.100.2 502 broadcast
> frame-relay map ip 150.50.100.5 502
> frame-relay map ip 150.50.100.6 502
> no frame-relay inverse-arp
>
> ip route 150.50.24.0 255.255.255.0 150.50.100.2
>
> R6:
>
> interface Serial2/0
> ip address 150.50.100.6 255.255.255.224
> encapsulation frame-relay
> no arp frame-relay
> frame-relay map ip 150.50.100.2 602 broadcast
> frame-relay map ip 150.50.100.5 602
> frame-relay map ip 150.50.100.6 602
> no frame-relay inverse-arp
>
> ip route 150.50.24.0 255.255.255.0 150.50.100.2
>
> R2:
>
> interface Serial2/0
> no ip address
> encapsulation frame-relay
> no arp frame-relay
> no frame-relay inverse-arp
>
> interface Serial2/0.1 multipoint
> ip address 150.50.100.2 255.255.255.224
> ip access-group 101 in
> frame-relay map ip 150.50.100.2 206
> frame-relay map ip 150.50.100.5 205 broadcast
> frame-relay map ip 150.50.100.6 206 broadcast
>
> interface Serial2/0.204 point-to-point
> ip address 150.50.24.2 255.255.255.0
> frame-relay interface-dlci 204
>
> access-list 101 permit tcp any any eq telnet
> access-list 101 dynamic dyn_acl timeout 2 permit ip host 150.50.100.5 any
>
> username cisco password cisco
>
> line vty 0 4
> login local
> autocommand  access-enable timeout 1
>
> ----------------------------------------------------------
>
> from R5 everything works fine.
>
> R5#telnet 150.50.100.2
> Trying 150.50.100.2 ... Open
>
> User Access Verification
>
> Username: cisco
> Password:
> [Connection to 150.50.100.2 closed by foreign host]
> R5#
> R5#ping 150.50.24.4
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 150.50.24.4, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 12/27/32 ms
>
>
> on R2 I have following:
>
> R2#  sh access-list
> Extended IP access list 101
>    10 permit tcp any any eq telnet (75 matches)
>    20 Dynamic dyn_acl permit ip host 150.50.100.5 any
>       permit ip host 150.50.100.5 any (5 matches) (time left 56)
>
>
> but when I do the same from R6 I have problems:
>
> R6#telnet 150.50.100.2
> Trying 150.50.100.2 ... Open
>
>
> User Access Verification
>
> Username: cisco
> Password:
> [Connection to 150.50.100.2 closed by foreign host]
> R6#ping 150.50.24.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 150.50.24.2, timeout is 2 seconds:
> U.U.U
> Success rate is 0 percent (0/5)
>
>
>
> and on R2 I have following:
>
> R2#  sh access-list
> Extended IP access list 101
>    10 permit tcp any any eq telnet (144 matches)
>    20 Dynamic dyn_acl permit ip host 150.50.100.5 any
>       permit ip host 150.50.100.6 any
>       permit ip host 150.50.100.5 any (5 matches) (time left 44)
>
> As we can appreciate, dynamic ACL is created, "permit ip host
> 150.50.100.6any", but it does not match.
> does anybody know what could the problem be????
>
>
> and I have another question. now I have all vty ports with autocommand.
> how
> do I access the router now over telnet?
> is there a way to get inside? apart from console?
>
> Thanks,
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html