Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3869
Views
0
Helpful
5
Replies

ios bug? startup-config + access-list commands + invalid input detected

Go to solution
jagoe
Level 1
Level 1

‎01-31-2003 02:12 AM - edited ‎02-20-2020 09:20 PM

I posted this yesterday in the comp.dcom.sys.cisco usenet newsgroup and didn't get any nibbles. If I've done something incredibly stupid, please don't hesitate to advise.

Cisco 827

IOS (tm) C820 Software (C820-K9OSY6-M), Version 12.2(8)T5, RELEASE

SOFTWARE (fc1)

I'm attempting to used a named host in an extended access list. The

script that I copy to startup-config contains the following entries:

<snip>

!the following 2 lines appears near the top of the script

ip name-server 123.123.123.123 123.123.123.124

ip domain-lookup

!the following line appears near the bottom of the script

access-list 120 permit ip host mailin-01.mx.aol.com any

</snip>

When I reload the router, I see the following message:

<snip>

Translating "mailin-01.mx.aol.com"...domain server (255.255.255.255)

access-list 120 permit ip host mailin-01.mx.aol.com any

^

% Invalid input detected at '^' marker.

</snip>

It seems as if the router's name server entry isn't being processed

before the access-list entry. I can even verify with

router02#sh access-lists 120

that the access-list entry does *not* exist.

But when I manually type the entry into the router I see the

following:

<snip>

router02(config)#access-list 120 permit ip host mailin-01.mx.aol.com

any

Translating "mailin-01.mx.aol.com"...domain server (123.123.123.123)

[OK]

</snip>

and I can confirm its creation:

<snip>

router02#sh access-lists 120

Extended IP access list 120

permit ip host 64.12.137.89 any

</snip>

I must be doing something incredibly stupid. If necessary I can post the entire startup-config, although it's rather long. (I'm not sure if the same etiquette/common-sense applies here as applies to usenet newsgroups. i.e. do we post real ip addresses in our configs or should they be edited out?)

Any help is much appreciated.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Erick Bergquist
Level 6
Level 6

‎02-01-2003 10:02 PM

Hi,

Currently IOS doesn't use DNS-names in ACLs for the saved/running configuration.

When you type in an access-list with a domain name it looks it up and replaces it with the IP address. I remember seeing a bug id recently requesting this feature but can't recall the bug id # right now.

router(config)#access-list 187 permit ip any host www.cisco.com

router(config)#^Z

router#show run | inc 187

access-list 187 permit ip any host 198.133.219.25

router#show ver | inc 12

IOS (tm) C800 Software (C800-K9NOSY6-MW), Version 12.2(13)T, RELEASE

View solution in original post

0 Helpful
5 Replies 5

Go to solution
jmia
Level 7
Level 7

‎01-31-2003 03:03 AM

Hi Andy,

Just wondered, after you've created the ACL do you do a 'write memory' if you don't do this than your new ACL will not be saved !!! Also where do you apply your ACL i.e. do you have a ACL access-group ?

If you want to post your full config then please make sure you edit out your real IP / Passwords etc..

Hope this helps.

Jay.

0 Helpful

Go to solution
jagoe
Level 1
Level 1
In response to jmia

‎02-01-2003 04:07 AM

Hi Jay,

Thanks for your feedback. Apologies in advance for the length of the startup-config. Unfortunately I believe viewing the entire beast will be the only way to get a real idea of whether it's a problem with ios's config parser or simply cockpit error.

The problem lines reference mailin-01.mx.aol.com to mailin-04.mx.aol.com and appear near the beginning of extended access lists 120 and 130. Thanks mate!

!

!<'good guy' ip addresses replaced with xxx.xxx.xxx.xxx or A.B.C.D>

!

!<>>

!<>>

ver 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service timestamps debug datetime

service timestamps log datetime

service password-encryption

sntp server A.B.C.D

clock timezone WET

!

hostname snc-router02

!

enable secret <>>

username <> privilege 15 password <>>

username vpn-user password 0 <>>

!

!

!

ip nat inside source list 110 interface dialer0 overload

!

! only enable if expecting incoming session-initiating packets

ip nat inside source static tcp xxx.xxx.xxx.5 80 interface dialer0 80

! ip nat inside source static tcp xxx.xxx.xxx.5 53 interface dialer0 53

! ip nat inside source static tcp xxx.xxx.xxx.5 25 interface dialer0 25

!

!

ip classless

ip route 0.0.0.0 0.0.0.0 dialer0

ip subnet-zero

ip local pool myvpnippool 10.10.10.1 10.10.10.255

ip name-server yyy.yyy.yyy.yyy zzz.zzz.zzz.zzz

ip domain-lookup

! ip local pool myvpnippool 10.10.10.1 10.10.10.1

! ip local pool myvpnippool 10.10.10.10 10.10.10.10

! ip local pool myvpnippool 10.10.10.20 10.10.10.20

! ip local pool myvpnippool 10.10.10.1 10.10.10.3

no ip finger

no ip http server

no ip name-server

!

aaa new-model

aaa authentication login aaa-authenticated local

aaa authorization network aaa-authorized local

!

!

!

crypto isakmp policy 1

encryption 3des

hash md5

authentication pre-share

group 2

lifetime 14400

!

!

crypto isakmp client configuration group vpn-client-group

key something-reallyy-difficult

! dns xxx.xxx.xxx.5

domain mydomain.com

pool myvpnippool

acl 100

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

!

crypto dynamic-map mydynamicmap 10

set transform-set myset

!

!

crypto map myclientmap client authentication list aaa-authenticated

crypto map myclientmap isakmp authorization list aaa-authorized

crypto map myclientmap client configuration address respond

crypto map myclientmap 10 ipsec-isakmp dynamic mydynamicmap

!

!

! <1 - dialer protocols - interface d0 (dialer)>

dialer-list 1 protocol ip permit

!

! <10 - inbound standard acl - interface line vty (telnet)>

access-list 10 permit xxx.xxx.xxx.0 0.0.0.63

access-list 10 deny any log

!

! <100 - vpn ip address list - referenced by the isakmp client config>

access-list 100 permit ip xxx.xxx.xxx.0 0.0.0.63 10.10.10.0 0.0.0.255

!

! <110 - nat addresses - interface d0 (nat dialer)>

access-list 110 deny ip xxx.xxx.xxx.0 0.0.0.63 10.10.10.0 0.0.0.255

access-list 110 permit ip xxx.xxx.xxx.0 0.0.0.63 any

!

! <120 - inbound extended acl - interface d0 (ingress filter)>

!

!

!

access-list 120 permit ip host mailin-01.mx.aol.com any

access-list 120 permit ip host mailin-02.mx.aol.com any

access-list 120 permit ip host mailin-03.mx.aol.com any

access-list 120 permit ip host mailin-04.mx.aol.com any

access-list 120 deny ip 64.12.174.57 0.0.3.255 any log

!

access-list 120 deny ip 64.70.10.64 0.0.3.255 any log

!

access-list 120 deny ip 64.132.42.0 0.0.1.255 any log

!

access-list 120 deny ip 64.157.10.0 0.0.0.255 any log

!

access-list 120 deny ip 64.159.88.0 0.0.0.255 any log

!

access-list 120 deny ip host 65.89.41.161 any log

!

access-list 120 deny ip host 65.89.42.150 any log

access-list 120 deny ip host 65.89.43.186 any log

!

access-list 120 deny ip 66.28.0.0 0.0.255.255 any log

!

access-list 120 deny ip host 66.40.3.10 any log

!

access-list 120 deny ip host 66.154.65.33 any log

!

0 Helpful

Go to solution
Erick Bergquist
Level 6
Level 6

‎02-01-2003 10:02 PM

Hi,

Currently IOS doesn't use DNS-names in ACLs for the saved/running configuration.

When you type in an access-list with a domain name it looks it up and replaces it with the IP address. I remember seeing a bug id recently requesting this feature but can't recall the bug id # right now.

router(config)#access-list 187 permit ip any host www.cisco.com

router(config)#^Z

router#show run | inc 187

access-list 187 permit ip any host 198.133.219.25

router#show ver | inc 12

IOS (tm) C800 Software (C800-K9NOSY6-MW), Version 12.2(13)T, RELEASE

0 Helpful

Go to solution
jagoe
Level 1
Level 1
In response to Erick Bergquist

‎02-02-2003 03:40 AM

Got it. Thanks very much, that answers the question.

Comment:

In an ideal Cisco world, access lists would be dynamic, updating their ip addresses at *network admin-prescribed intervals* via host name resolution. Due to performance considerations, it's not reasonable to do dns lookups each time a packet goes in or out!

In my particular case, deny acl rules blocking annoying aol.com pop-up advertisements were preventing successful delivery of email to aol.com recipients. It seems that aol round-robbins it's 4 mx host names across several ip addresses (i.e. too time-consuming a list for a network admin to maintain)

The intention was use host name permits in the startup-config. This way mail delivery problems due to rotating mx ip addresses could be solved by simply reloading the router config.

0 Helpful

Go to solution
Erick Bergquist
Level 6
Level 6
In response to jagoe

‎02-02-2003 12:10 PM

You can try this:

Have 2 access-lists which are the same , except for the second one you paste in from notepad and the names get resolved to IPs. Then go under the interface and replace the ip access-group # with the other access-list #.

If you're into unix, etc you could script this (expect, perl, etc) and have a cron job kick off the script now and then.

0 Helpful
Customers Also Viewed These Support Documents