Re: Lock and Key (Dynamic Access LIsts)

From: ccie2be (ccie2be@nyc.rr.com)
Date: Wed Jan 07 2004 - 12:16:24 GMT-3

• Next message: Alexander Arsenyev (GU/ETL): "RE: Directed Broadcast Forwarding"
• Previous message: Adel Abushaev: "Re: EIGRP Dual Paths"
• Maybe in reply to: ccie2be: "Lock and Key (Dynamic Access LIsts)"
• Next in thread: Tim Fletcher: "Re: Lock and Key (Dynamic Access LIsts)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Tim,

Thanks for getting back to me.

To answer your question, yes, the ping is going into S2.

I would think that my dynamic acl entry would allow pings since it allows
all ip packets to subnet 172.16.136.0. Would you agree?

dt
----- Original Message -----
From: "Tim Fletcher" <groupstudy@fletchmail.net>
To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study" <ccielab@groupstudy.com>
Sent: Tuesday, January 06, 2004 7:52 PM
Subject: Re: Lock and Key (Dynamic Access LIsts)

> At 06:14 PM 1/6/04, ccie2be wrote:
> >Hi guys,
> >
> >I'm having problems getting this to work properly and I have 2 questions
about
> >this.
> >
> >1) When using local authentication, does the name in the username xxxx
> >password yyyy need to match the name in the dynamic access list entry?
If it
> >does, doesn't that create problems in that everyone must use the same
name
> >password combo? ( I understand that only 1 dynamic entry should be used
when
> >creating dynamic access lists.)
>
> No, it does not have to match.
>
>
> >2) Does the dynamic access list have to explicitly permit icmp in order
for
> >ping to work?
> >
> >I have the following config:
> >
> >username test password ccie
> >
> >int s2
> >ip addr x.x.x.x m.m.m.m
> >ip access-group 100 in
> >
> >access-list 100 permit tcp any host 172.16.32.3 eq telnet
> >access-list 100 dynamic test permit ip any 172.16.136.0 0.0.0.255
> >
> >line vty 0 4
> >password cisco
> >login local
> >autocommand access-enable timeout 3
> >
> >What happens is this. when I telnet to the ip addr above, I get
challenged to
> >enter a name and password and then I get (as I should) a message like
"session
> >closed by foreign host". But, then when I try to ping a host on subnet
> >172.16.136.0, I get U.U.U
> >
> >Shouldn't I be able to ping with the above config?
>
> Is your connection coming into S2?
>
>
> >Thanks in advanced, dt
> >
> >_______________________________________________________________________
> >Please help support GroupStudy by purchasing your study materials from:
> >http://shop.groupstudy.com
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html

• Next message: Alexander Arsenyev (GU/ETL): "RE: Directed Broadcast Forwarding"
• Previous message: Adel Abushaev: "Re: EIGRP Dual Paths"
• Maybe in reply to: ccie2be: "Lock and Key (Dynamic Access LIsts)"
• Next in thread: Tim Fletcher: "Re: Lock and Key (Dynamic Access LIsts)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:37 GMT-3