Problem Title : dynamic ACL with multi-ports TCP (Telnet +FTP+ FTP-Data+1521+1525) does grant access only to the first port described in
Here is a problem Description for which I had no response from CISCO.:
The pb appears with Cisco 2610 IOS Version 11.3(2)XA3.
I configure the following dynamic ACL :
access-list 150 permit tcp 180.150.0.0 0.0.255.255 host 160.8.100.6 eq telnet log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq telnet log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq ftp-data log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq ftp log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq 1521 log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq 1525 log
access-list 150 deny ip any any log
Access is granted (when authentication occurs) only for the FIRST line i.e. Telnet and not for the others ports described on the following lines. The result of the command "sh access-lists" when somebody is authenticated on the router shows five lines with access granted for the same port, the first of the access-list, telnet :
permit tcp 180.150.0.0 0.0.255.255 host 160.8.0.19 eq elnet log.
Obviously there's no access granted for ftp, ...
What happens ? What's wrong ?
Thanks
Here is a problem Description for which I had no response from CISCO.:
The pb appears with Cisco 2610 IOS Version 11.3(2)XA3.
I configure the following dynamic ACL :
access-list 150 permit tcp 180.150.0.0 0.0.255.255 host 160.8.100.6 eq telnet log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq telnet log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq ftp-data log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq ftp log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq 1521 log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq 1525 log
access-list 150 deny ip any any log
Access is granted (when authentication occurs) only for the FIRST line i.e. Telnet and not for the others ports described on the following lines. The result of the command "sh access-lists" when somebody is authenticated on the router shows five lines with access granted for the same port, the first of the access-list, telnet :
permit tcp 180.150.0.0 0.0.255.255 host 160.8.0.19 eq elnet log.
Obviously there's no access granted for ftp, ...
What happens ? What's wrong ?
Thanks