access list problem

Discussion in 'Cisco' started by tony, Aug 25, 2006.

  1. tony

    tony Guest

    what command? Here is sh line before and after the second host telenets in


    before
    edu-cer-3750A#show line
    Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns
    Int
    0 CTY - - - - - 0 0
    0 -
    * 1 VTY - - - - 1 20 0
    0 -
    2 VTY - - - - 1 7 0
    0 -
    3 VTY - - - - 1 0 0
    0 -
    4 VTY - - - - 1 0 0
    0 -
    5 VTY - - - - 1 0 0
    0 -
    6 VTY - - - - 1 0 0
    0 -
    7 VTY - - - - 1 0 0
    0 -
    8 VTY - - - - 1 0 0
    0 -
    9 VTY - - - - 1 0 0
    0 -
    10 VTY - - - - 1 0 0
    0 -
    11 VTY - - - - 1 0 0
    0 -
    12 VTY - - - - 1 0 0
    0 -
    13 VTY - - - - 1 0 0
    0 -
    14 VTY - - - - 1 0 0
    0 -
    15 VTY - - - - 1 0 0
    0 -
    16 VTY - - - - 1 0 0
    0 -


    After second host telnet in
    edu-cer-3750A#show line
    Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns
    Int
    0 CTY - - - - - 0 0
    0 -
    * 1 VTY - - - - 1 20 0
    0 -
    * 2 VTY - - - - 1 8 0
    0 -
    3 VTY - - - - 1 0 0
    0 -
    4 VTY - - - - 1 0 0
    0 -
    5 VTY - - - - 1 0 0
    0 -
    6 VTY - - - - 1 0 0
    0 -
    7 VTY - - - - 1 0 0
    0 -
    8 VTY - - - - 1 0 0
    0 -
    9 VTY - - - - 1 0 0
    0 -
    10 VTY - - - - 1 0 0
    0 -
    11 VTY - - - - 1 0 0
    0 -
    12 VTY - - - - 1 0 0
    0 -
    13 VTY - - - - 1 0 0
    0 -
    14 VTY - - - - 1 0 0
    0 -
    15 VTY - - - - 1 0 0
    0 -
    16 VTY - - - - 1 0 0
    0 -

    edu-cer-3750A#
     
    tony, Aug 28, 2006
    #21
    1. Advertisements

  2. tony

    Doan Guest

    The "show access-list 1" command. Are you getting hits on the ACL?

    Doan
     
    Doan, Aug 28, 2006
    #22
    1. Advertisements

  3. tony

    Merv Guest

    UPGRADE THE IOS SOFTWARE !!!


    I suspect you have stepped on this bug:

    CSCed10210

    Headline access-class on vty fails to secure vty after reboot
    Product IOS
    Feature OTHERS Components Duplicate of
    Severity 2 Severity help Status Verified Status help
    First Found-in Version 12.1(14)EA1 All affected versions First
    Fixed-in Version 12.2(18)SE, 12.1(19)EA1a, 12.1(20)EA1, 12.2(20)SE,
    12.1(14)AX1 Version help
    Release Notes

    Symptom:
    A Catalyst 3750 or 2970 switch running 12.1(19)EA1 or earlier may allow
    telnet sessions
    to the device from unauthorized hosts with an access-class applied
    inbound to the
    vty lines.

    Thie issue occurs only after a reboot and only if a keystroke has not
    been echoed
    to the console port. After the console port has received a single
    character from
    some kind of terminal, the access-class applied to the vty will
    activate and filter
    any new inbound connections.

    The configuration under the vty will look similar to this:
    line vty 0 4
    password cisco
    access-class 3 in
    login
    !
    access-list 3 permit host 10.1.1.1
    access-list 3 deny any

    When this configuration is applied, any host will be able to telnet to
    the switch
    until at least a character is sent to the console port.

    Conditions:
    This only affects Catalyst 3750 and 2970 switches running 12.1(19)EA1
    or earlier.
    This does not affect any other product.

    Workaround:
    1. Enter at least one character on the console port after reload.
    2. Upgrade to Cisco IOS 12.1(19)EA1a or higher. Cisco IOS Release
    12.1(19)EA1a is
    expected to be available for download from cisco.com after December 15,
    2003.
     
    Merv, Aug 28, 2006
    #23
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.