dynamic ACL does not work

[CHM1]

Problem Title : dynamic ACL with multi-ports TCP (Telnet +FTP+ FTP-Data+1521+1525) does grant access only to the first port described in

Here is a problem Description for which I had no response from CISCO:

The pb appears with Cisco 2610 IOS Version 11.3(2)XA3.
I configured the following dynamic ACL :

access-list 150 permit tcp 180.150.0.0 0.0.255.255 host 160.8.100.6 eq telnet log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq telnet log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq ftp-data log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq ftp log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq 1521 log
access-list 150 dynamic ACL-DYN150 timeout 60 permit tcp 180.150.0.0 0.0.255.255
host 160.8.0.19 eq 1525 log
access-list 150 deny ip any any log

First remote host 180.150.10.1 telnets and authenticates on the router 160.8.100.6 (name and password); Authentication is right.
Then the command sh access-lists on the router gives :

ROUTER#sh access-lists
Extended IP access list 150
permit tcp 180.150.0.0 0.0.255.255 host 160.8.100.6 eq telnet log (163 matches)
Dynamic ACL-DYN150 permit tcp 180.150.0.0 0.0.255.255 host 160.8.0.19 eq telnet log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
Dynamic ACL-DYN150 permit tcp 180.150.0.0 0.0.255.255 host 160.8.0.19 eq ftp-data log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
Dynamic ACL-DYN150 permit ip 180.150.0.0 0.0.255.255 host 160.8.0.19 eq ftp log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
Dynamic ACL-DYN150 permit ip 180.150.0.0 0.0.255.255 host 160.8.0.19 eq 1521 log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
Dynamic ACL-DYN150 permit ip 180.150.0.0 0.0.255.255 host 160.8.0.19 eq 1525 log timeout 60
permit tcp host 180.150.10.1 host 160.8.0.19 eq telnet log timeout 5 (152 matches) (t
ime left 161)
deny ip any any log

We immediatly see on this command that access of 180.150.10.1 is granted for a while (161 s) to host 160.8.0.19 but only for telnet (the five lines "permit tcp host 180.150.10.1 ...." give all TELNET though the first should give TELNET, the second FTP-DATA the third FTP, ...).

Then, when when 180.150.10.1 tries to connect to 160.8.0.19, he can only establish a telnet session, but no FTP session, no access on port 1521, 1525.

Many tries show that it's always the port on the first dynamic access-list 150 line which is granted access.

Is this a bug (in version 11.3 ?)or my config is wrong ? What can i do ?

Thanks

 

[NetOpsTech]

"oNe additional step is required when creating a dynamic access list - the autocommand below the VTY lines."

 

[CHM1]

Thank you.
But this is already the case, I have :

line vty 0 3
password 7 xxxxxxx
login local
autocommand access-enable timeout 5

(I did't show you the whole config) the user authenticates the access is granted but only with the port on the first line of the ACL (which is telnet here).
If i reverse the lines of the ACL having for example ftp on the first line and telnet on the second the access is granted only for ftp and not for telnet : here is the pb.(as seen on the display of the sh access-lists command).

 

[NetOpsTech]

I may have found the problem.
Dynamic Access Lists
Use the following tips for configuring dynamic access lists:

Do not create more than one dynamic access list for any one access list. The software only refers to the first dynamic access list defined.
Do not assign the same dynamic-name to another access list. Doing so instructs the software to reuse the existing list. All named entries must be globally unique within the configuration.
Assign attributes to the dynamic access list in the same way you assign attributes for a static access list. The temporary access list entries inherit the attributes assigned to this list.
Configure Telnet as the protocol, so that the user must Telnet into the router to be authenticated, before they can gain access through the router.
Either define an idle timeout now with the timeout keyword in the access-enable command in the autocommand command, or define an absolute timeout value later with the access-list command. You must define either an idle timeout or an absolute timeout—otherwise, the temporary access list entry will remain configured indefinitely on the interface (even after the user has terminated their session) until the entry is removed manually by an administrator. (You could configure both idle and absolute timeouts if you wish.)
If you configure an idle timeout, the idle timeout value should be equal to the WAN idle timeout value.
If you configure both idle and absolute timeouts, the idle timeout value must be less than the absolute timeout value.
The only values replaced in the temporary entry are the source or destination address, depending whether the access list was in the input access list or output access list. All other attributes, such as port, are inherited from the main dynamic access list.
Each addition to the dynamic list is always put at the beginning of the dynamic list. You cannot specify the order of temporary access list entries.
Temporary access list entries are never written to NVRAM.
To manually clear or to display dynamic access lists, see the section "Lock-and-Key Maintenance" later in this chapter.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt3/sclock.htm

 

[NetOpsTech]

Looks like your using the same access list for all your dynamic access lists.

 

[CHM1]

Thank you very much.
As you suggested me, I read out (again) all the chapter "Configuring Dynamic ACL".... and I don't understand everything :

1 - "Do not create more than one dynamic access list for any one access list. The software only refers to the first dynamic access list defined. " : in my opinion, I have only one : ACL-DYN150.
2 - "Do not assign the same dynamic-name to another access list. Doing so instructs the software to reuse the existing list. All named entries must be globally unique within the configuration. " : ACL-DYN150 is not assigned to another ACL.
3 - "The only values replaced in the temporary entry are the source or destination address, depending whether the access list was in the input access list or output access list. All other attributes, such as port, are inherited from the main dynamic access list. " : can it be the problem ?

So, after all this, I don't know if what i want to do is possible : limit access to only 5 ports telnet, ftp, ftp-data, 1521, 1525. It's the first time I want filtering based on ports. I already used - with success - dynamic ACLs like this :
access-list 110 permit tcp any host 120.56.49.14 eq telnet log
access-list 110 dynamic ACL-DYN110 timeout 180 permit ip host 192.120.1.20 any log
access-list 110 dynamic ACL-DYN110 timeout 180 permit ip host 192.120.1.21 any log
access-list 110 dynamic ACL-DYN110 timeout 180 permit ip host 192.120.1.25 any log

 

[NetOpsTech]

1 - "Do not create more than one dynamic access list for any one access list. The software only refers to the first dynamic access list defined. " : in my opinion, I have only one : ACL-DYN150.

But it stops reading after the first so create another dynamic access lsit for each port you need. Try access-list 151, 152 etc acl-dyn151, acl-dyn152, etc.

That's the way I understand it.

 

[CHM1]

Thank you for all this.
I'll receive a new router in few weeks; therefore i'll try testing this at the time. Because the actual router is in operations i don't want my users to be disturbed by all this stuff.
If i set several ACL (say 150,151, 152, 153,154) how can i attach all of them to the same interface (can i have several ip access-group lines for the same interface) ?
I'll send you the result .