Sebastian, I am using 12.4(15)T13. Agree that the permit statement doesn't matter but why is it there?
Only standard access-list are accepted by the http server access-class which leaves the application of the ACL to the physical interface. But for that a permit ip any any is required at the end. With regards Kings On Sun, Nov 7, 2010 at 12:57 AM, Sebastian Pasternacki < [email protected]> wrote: > Hi Kingsley, > > Firstly a HTTP question - HTTP login block and login delay support is in > releases 12.2(33)SXH and 12.4(16)T and later. > SOURCE - > http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_login.html > So the question is what is your IOS version? > > Permit statement doesn't really matter, because all SSH access is blocked > with line 30 in your ACL. How this ACL looks without active blocking? > > If the ACL is applied to CON/AUX only from time to time, I would say that > it looks like a bug. If it is applied always, then it may be the way this > feature works. > Unfortunately I don't have any routers at the moment to test it. > > Regards, > > Seba > > ### > > On 6 November 2010 11:43, Kingsley Charles <[email protected]>wrote: > >> Hi all >> >> I have configured the router for login block. >> >> router(config)#login block-for 60 attempts 2 within 5 >> >> The following is the ACL configured on vty lines. >> >> router#sh access-lists >> Extended IP access list sl_def_acl >> 10 deny tcp any any eq telnet log >> 20 deny tcp any any eq www log >> 30 deny tcp any any eq 22 log >> 40 permit tcp any any eq 22 log >> >> As per the Cisco docs, the login block feature blocks all the telnet and >> ssh connections. But, if you observe the ACEs, there is one for HTTP too. >> Also take a look at the last one, it permits ssh. >> >> Sometimes, I see the ACL applied to aux and con line too. >> >> >> Seems some type of bug. >> >> Any thoughts? >> >> With regards >> Kings >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
