Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

dynamic access-list not work?

Hi all,

I config a dynamic access-list for dynamic control telnet access. But when I connect to the host (my host is 192.168.0.1), there is the following prompt:

List#130-testing already contains this IP address pair

[Connection to 192.168.2.1 closed by foreign host]

And the following is the running config of my remote host:sh run

Building configuration...

Current configuration : 1826 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router

!

aaa new-model

aaa authentication login testin local

enable password cisco

!

username teru privilege 15 password 0 xxxx

username teru autocommand access-enable timeout 5

ip subnet-zero

!

!

ip telnet source-interface FastEthernet0/0

!

ip audit notify log

ip audit po max-events 100

--More-- ip ssh time-out 120

ip ssh authentication-retries 3

!

call rsvp-sync

!

!

!

!

!

!

!

!

interface Loopback0

ip address 192.168.4.1 255.255.255.240

ip ospf network point-to-point

!

interface Loopback2

ip address 192.168.6.1 255.255.255.248

ip ospf network point-to-point

!

interface Loopback3

ip address 12.12.12.12 255.255.255.224

!

--More-- interface Loopback10

ip address 13.14.13.1 255.255.224.0

!

interface FastEthernet0/0

ip address 192.168.2.1 255.255.255.252

no keepalive

duplex auto

speed auto

!

interface Serial0/0

ip address 192.168.0.1 255.255.255.0

ip access-group 130 in

!

interface Serial0/1

no ip address

shutdown

!

router eigrp 1

redistribute ospf 1 metric 1 1 1 1 1

network 192.168.0.0

auto-summary

no eigrp log-neighbor-changes

!

--More-- router ospf 1

router-id 10.10.10.10

log-adjacency-changes

network 12.12.12.0 0.0.0.31 area 0

network 13.14.0.0 0.0.31.255 area 0

network 192.168.2.0 0.0.0.3 area 1

network 192.168.4.0 0.0.0.15 area 1

network 192.168.6.0 0.0.0.7 area 1

!

ip classless

ip http server

ip pim bidir-enable

!

access-list 130 dynamic testing permit ip any any

access-list 130 deny tcp any host 192.168.2.1 eq telnet

access-list 130 permit ip any any

!

!

dial-peer cor custom

!

!

!

!

--More-- !

line con 0

line aux 0

line vty 0 4

exec-timeout 101 40

login authentication testin

autocommand access-enable timeout 5

transport input lat pad v120 mop telnet rlogin udptn nasi ssh

!

end

Router#

Can any one tell me what's wrong? Thank You!

Best Regards

Teru Lei

1 REPLY
Bronze

Re: dynamic access-list not work?

The way I have seen lock and key (dynamic acls) set up, is permit telnet traffic to an interface address, then permit the traffic you want to allow through your router. Take a look at the example in the following link:

http://www.cisco.com/warp/public/707/confaccesslists.html#lock

128
Views
0
Helpful
1
Replies
CreatePlease to create content