Problem Title : dynamic ACL with multi-ports TCP (Telnet +FTP+ FTP-Data+1521+1525) does grant access only to the first port described in
Here is a problem Description for which I had no response from CISCO.:
The pb appears with Cisco 2610 IOS Version 11.3(2)XA3.
I configured the following dynamic ACL :
access-list 150 permit tcp 180.150.0.0 0.0.255.255 host 160.8.100.6 eq telnet log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq telnet log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq ftp-data log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq ftp log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq 1521 log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq 1525 log
access-list 150 deny ip any any log
First remote host 180150.10.1 telnets and authenticates on the router 160.8.100.6 (name and password); Authentication is right.
Then the command sh access-lists on the router gives :
ROUTER#sh access-lists
Extended IP access list 150
permit tcp 180.150.0.0 0.0.255.255 host 160.8.100.6 eq telnet log (163 matches)
Dynamic ACL-DYN150 permit tcp 180.150.0.0 0.0.255.255 host 160.8.0.19 eq telnet log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
Dynamic ACL-DYN150 permit tcp 180.150.0.0 0.0.255.255 host 160.8.0.19 eq ftp-data log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
Dynamic ACL-DYN150 permit ip 180.150.0.0 0.0.255.255 host 160.8.0.19 eq ftp log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
Dynamic ACL-DYN150 permit ip 180.150.0.0 0.0.255.255 host 160.8.0.19 eq 1521 log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
Dynamic ACL-DYN150 permit ip 180.150.0.0 0.0.255.255 host 160.8.0.19 eq 1525 log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
deny ip any any log
We immediatly see on this command that access of 180.150.10.1 is granted for a while (161 s) to host 160.8.0.19 but only for telnet (the five lines "permit tcp host 180.150.10.1 ...." give all TELNET though the first should give TELNET, the second FTP-DATA the third FTP, ...).
Then, when when 180.150.10.1 tries to connect to 160.8.0.19, he can only establish a telnet session, but no FTP session, no access on port 1521, 1525.
Many tries show that it's always the port on the first dynamic access-list 150 line which is granted access.
Is this a bug or my config is wrong ?
Thanks
Here is a problem Description for which I had no response from CISCO.:
The pb appears with Cisco 2610 IOS Version 11.3(2)XA3.
I configured the following dynamic ACL :
access-list 150 permit tcp 180.150.0.0 0.0.255.255 host 160.8.100.6 eq telnet log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq telnet log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq ftp-data log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq ftp log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq 1521 log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq 1525 log
access-list 150 deny ip any any log
First remote host 180150.10.1 telnets and authenticates on the router 160.8.100.6 (name and password); Authentication is right.
Then the command sh access-lists on the router gives :
ROUTER#sh access-lists
Extended IP access list 150
permit tcp 180.150.0.0 0.0.255.255 host 160.8.100.6 eq telnet log (163 matches)
Dynamic ACL-DYN150 permit tcp 180.150.0.0 0.0.255.255 host 160.8.0.19 eq telnet log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
Dynamic ACL-DYN150 permit tcp 180.150.0.0 0.0.255.255 host 160.8.0.19 eq ftp-data log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
Dynamic ACL-DYN150 permit ip 180.150.0.0 0.0.255.255 host 160.8.0.19 eq ftp log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
Dynamic ACL-DYN150 permit ip 180.150.0.0 0.0.255.255 host 160.8.0.19 eq 1521 log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
Dynamic ACL-DYN150 permit ip 180.150.0.0 0.0.255.255 host 160.8.0.19 eq 1525 log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
deny ip any any log
We immediatly see on this command that access of 180.150.10.1 is granted for a while (161 s) to host 160.8.0.19 but only for telnet (the five lines "permit tcp host 180.150.10.1 ...." give all TELNET though the first should give TELNET, the second FTP-DATA the third FTP, ...).
Then, when when 180.150.10.1 tries to connect to 160.8.0.19, he can only establish a telnet session, but no FTP session, no access on port 1521, 1525.
Many tries show that it's always the port on the first dynamic access-list 150 line which is granted access.
Is this a bug or my config is wrong ?
Thanks