01-31-2003 02:12 AM - edited 02-20-2020 09:20 PM
I posted this yesterday in the comp.dcom.sys.cisco usenet newsgroup and didn't get any nibbles. If I've done something incredibly stupid, please don't hesitate to advise.
Cisco 827
IOS (tm) C820 Software (C820-K9OSY6-M), Version 12.2(8)T5, RELEASE
SOFTWARE (fc1)
I'm attempting to used a named host in an extended access list. The
script that I copy to startup-config contains the following entries:
<snip>
!the following 2 lines appears near the top of the script
ip name-server 123.123.123.123 123.123.123.124
ip domain-lookup
!the following line appears near the bottom of the script
access-list 120 permit ip host mailin-01.mx.aol.com any
</snip>
When I reload the router, I see the following message:
<snip>
Translating "mailin-01.mx.aol.com"...domain server (255.255.255.255)
access-list 120 permit ip host mailin-01.mx.aol.com any
^
% Invalid input detected at '^' marker.
</snip>
It seems as if the router's name server entry isn't being processed
before the access-list entry. I can even verify with
router02#sh access-lists 120
that the access-list entry does *not* exist.
But when I manually type the entry into the router I see the
following:
<snip>
router02(config)#access-list 120 permit ip host mailin-01.mx.aol.com
any
Translating "mailin-01.mx.aol.com"...domain server (123.123.123.123)
[OK]
</snip>
and I can confirm its creation:
<snip>
router02#sh access-lists 120
Extended IP access list 120
permit ip host 64.12.137.89 any
</snip>
I must be doing something incredibly stupid. If necessary I can post the entire startup-config, although it's rather long. (I'm not sure if the same etiquette/common-sense applies here as applies to usenet newsgroups. i.e. do we post real ip addresses in our configs or should they be edited out?)
Any help is much appreciated.
Solved! Go to Solution.
02-01-2003 10:02 PM
Hi,
Currently IOS doesn't use DNS-names in ACLs for the saved/running configuration.
When you type in an access-list with a domain name it looks it up and replaces it with the IP address. I remember seeing a bug id recently requesting this feature but can't recall the bug id # right now.
router(config)#access-list 187 permit ip any host www.cisco.com
router(config)#^Z
router#show run | inc 187
access-list 187 permit ip any host 198.133.219.25
router#show ver | inc 12
IOS (tm) C800 Software (C800-K9NOSY6-MW), Version 12.2(13)T, RELEASE
01-31-2003 03:03 AM
Hi Andy,
Just wondered, after you've created the ACL do you do a 'write memory' if you don't do this than your new ACL will not be saved !!! Also where do you apply your ACL i.e. do you have a ACL access-group ?
If you want to post your full config then please make sure you edit out your real IP / Passwords etc..
Hope this helps.
Jay.
02-01-2003 04:07 AM
Hi Jay,
Thanks for your feedback. Apologies in advance for the length of the startup-config. Unfortunately I believe viewing the entire beast will be the only way to get a real idea of whether it's a problem with ios's config parser or simply cockpit error.
The problem lines reference mailin-01.mx.aol.com to mailin-04.mx.aol.com and appear near the beginning of extended access lists 120 and 130. Thanks mate!
!
!<'good guy' ip addresses replaced with xxx.xxx.xxx.xxx or A.B.C.D>
!
!
!
ver 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service timestamps debug datetime
service timestamps log datetime
service password-encryption
sntp server A.B.C.D
clock timezone WET
!
hostname snc-router02
!
enable secret <
username <
username vpn-user password 0 <
!
!
!
ip nat inside source list 110 interface dialer0 overload
!
!
ip nat inside source static tcp xxx.xxx.xxx.5 80 interface dialer0 80
! ip nat inside source static tcp xxx.xxx.xxx.5 53 interface dialer0 53
! ip nat inside source static tcp xxx.xxx.xxx.5 25 interface dialer0 25
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 dialer0
ip subnet-zero
ip local pool myvpnippool 10.10.10.1 10.10.10.255
ip name-server yyy.yyy.yyy.yyy zzz.zzz.zzz.zzz
ip domain-lookup
! ip local pool myvpnippool 10.10.10.1 10.10.10.1
! ip local pool myvpnippool 10.10.10.10 10.10.10.10
! ip local pool myvpnippool 10.10.10.20 10.10.10.20
! ip local pool myvpnippool 10.10.10.1 10.10.10.3
no ip finger
no ip http server
no ip name-server
!
aaa new-model
aaa authentication login aaa-authenticated local
aaa authorization network aaa-authorized local
!
!
!
crypto isakmp policy 1
encryption 3des
hash md5
authentication pre-share
group 2
lifetime 14400
!
!
crypto isakmp client configuration group vpn-client-group
key something-reallyy-difficult
! dns xxx.xxx.xxx.5
domain mydomain.com
pool myvpnippool
acl 100
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!
crypto dynamic-map mydynamicmap 10
set transform-set myset
!
!
crypto map myclientmap client authentication list aaa-authenticated
crypto map myclientmap isakmp authorization list aaa-authorized
crypto map myclientmap client configuration address respond
crypto map myclientmap 10 ipsec-isakmp dynamic mydynamicmap
!
!
! <1 - dialer protocols - interface d0 (dialer)>
dialer-list 1 protocol ip permit
!
! <10 - inbound standard acl - interface line vty (telnet)>
access-list 10 permit xxx.xxx.xxx.0 0.0.0.63
access-list 10 deny any log
!
! <100 - vpn ip address list - referenced by the isakmp client config>
access-list 100 permit ip xxx.xxx.xxx.0 0.0.0.63 10.10.10.0 0.0.0.255
!
! <110 - nat addresses - interface d0 (nat dialer)>
access-list 110 deny ip xxx.xxx.xxx.0 0.0.0.63 10.10.10.0 0.0.0.255
access-list 110 permit ip xxx.xxx.xxx.0 0.0.0.63 any
!
! <120 - inbound extended acl - interface d0 (ingress filter)>
!
!
!
access-list 120 permit ip host mailin-01.mx.aol.com any
access-list 120 permit ip host mailin-02.mx.aol.com any
access-list 120 permit ip host mailin-03.mx.aol.com any
access-list 120 permit ip host mailin-04.mx.aol.com any
access-list 120 deny ip 64.12.174.57 0.0.3.255 any log
!
access-list 120 deny ip 64.70.10.64 0.0.3.255 any log
!
access-list 120 deny ip 64.132.42.0 0.0.1.255 any log
!
access-list 120 deny ip 64.157.10.0 0.0.0.255 any log
!
access-list 120 deny ip 64.159.88.0 0.0.0.255 any log
!
access-list 120 deny ip host 65.89.41.161 any log
!
access-list 120 deny ip host 65.89.42.150 any log
access-list 120 deny ip host 65.89.43.186 any log
!
access-list 120 deny ip 66.28.0.0 0.0.255.255 any log
!
access-list 120 deny ip host 66.40.3.10 any log
!
access-list 120 deny ip host 66.154.65.33 any log
!
02-01-2003 10:02 PM
Hi,
Currently IOS doesn't use DNS-names in ACLs for the saved/running configuration.
When you type in an access-list with a domain name it looks it up and replaces it with the IP address. I remember seeing a bug id recently requesting this feature but can't recall the bug id # right now.
router(config)#access-list 187 permit ip any host www.cisco.com
router(config)#^Z
router#show run | inc 187
access-list 187 permit ip any host 198.133.219.25
router#show ver | inc 12
IOS (tm) C800 Software (C800-K9NOSY6-MW), Version 12.2(13)T, RELEASE
02-02-2003 03:40 AM
Got it. Thanks very much, that answers the question.
Comment:
In an ideal Cisco world, access lists would be dynamic, updating their ip addresses at *network admin-prescribed intervals* via host name resolution. Due to performance considerations, it's not reasonable to do dns lookups each time a packet goes in or out!
In my particular case, deny acl rules blocking annoying aol.com pop-up advertisements were preventing successful delivery of email to aol.com recipients. It seems that aol round-robbins it's 4 mx host names across several ip addresses (i.e. too time-consuming a list for a network admin to maintain)
The intention was use host name permits in the startup-config. This way mail delivery problems due to rotating mx ip addresses could be solved by simply reloading the router config.
02-02-2003 12:10 PM
You can try this:
Have 2 access-lists which are the same , except for the second one you paste in from notepad and the names get resolved to IPs. Then go under the interface and replace the ip access-group # with the other access-list #.
If you're into unix, etc you could script this (expect, perl, etc) and have a cron job kick off the script now and then.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide