Dynamic ACL fails on a router

[CHM1]

Problem Title : dynamic ACL with multi-ports TCP (Telnet +FTP+ FTP-Data+1521+1525) does grant access only to the first port described in

Here is a problem Description for which I had no response from CISCO.:

The pb appears with Cisco 2610 IOS Version 11.3(2)XA3.
I configure the following dynamic ACL :

access-list 150 permit tcp 180.150.0.0 0.0.255.255 host 160.8.100.6 eq telnet log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq telnet log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq ftp-data log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq ftp log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq 1521 log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq 1525 log
access-list 150 deny ip any any log

Access is granted (when authentication occurs) only for the FIRST line i.e. Telnet and not for the others ports described on the following lines. The result of the command "sh access-lists" when somebody is authenticated on the router shows five lines with access granted for the same port, the first of the access-list, telnet :
permit tcp 180.150.0.0 0.0.255.255 host 160.8.0.19 eq elnet log.
Obviously there's no access granted for ftp, ...


What happens ? What's wrong ?

Thanks

 

[longN]

ACLs are testet in explicitly sequently order.When the statement match the condition in the ACL action is taken care and none of the othr ACL is tested.So...if someone try telnet , he will match the first condition(permit) and the test will stop here.thats it.

 

[CHM1]

Yes, but consider this :

First remote host 180150.10.1 telnets and authenticates on the router 160.8.100.6 (name and password); Authentication is right.
Then the command sh access-lists on the router gives :

ROUTER#sh access-lists
Extended IP access list 150
permit tcp 180.150.0.0 0.0.255.255 host 160.8.100.6 eq telnet log (163 matches)
Dynamic ACL-DYN150 permit tcp 180.150.0.0 0.0.255.255 host 160.8.0.19 eq telnet log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
Dynamic ACL-DYN150 permit tcp 180.150.0.0 0.0.255.255 host 160.8.0.19 eq ftp-data log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
Dynamic ACL-DYN150 permit ip 180.150.0.0 0.0.255.255 host 160.8.0.19 eq ftp log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
Dynamic ACL-DYN150 permit ip 180.150.0.0 0.0.255.255 host 160.8.0.19 eq 1521 log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
Dynamic ACL-DYN150 permit ip 180.150.0.0 0.0.255.255 host 160.8.0.19 eq 1525 log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
deny ip any any log

We immediatly see on this command that access of 180.150.10.1 is granted for a while (161 s) to host 160.8.0.19 but only for telnet (the five lines "permit tcp host 180.150.10.1 ...." give all TELNET though the first should give TELNET, the second FTP-DATA the third FTP, ...).

Many tries show that it's always the port on the first dynamic access-list 150 line which is granted access.

Is this a bug or my config is wrong ?

Thanks