Re: lock and key access list problem

From: Brian Dennis (brian@xxxxxx)
Date: Sun Feb 03 2002 - 12:07:28 GMT-3

• Next message: Carolyn Camarda: "Re: lock and key access list problem"
• Previous message: tom cheung: "RE: lock and key access list problem"
• Maybe in reply to: atul pawar: "lock and key access list problem"
• Next in thread: Carolyn Camarda: "Re: lock and key access list problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
This is suppose to happen. You have the autocommand under the vty's.
Everytime you telnet to the router and login, it is going to execute the
autocommand. What you need to do is telnet to a vty that doesn't have the
autocommand configured.

Here's an example:

access-list 130 permit tcp any any eq bgp
access-list 130 dynamic firewall timeout 100 permit ip any any
access-list 130 permit tcp any host 170.100.1.1 eq 3001

line vty 0 3
 login local
line vty 4
 rotary 1
 login local
 autocommand access-enable timeout 5

When you want to authenticate, telnet to 170.100.1.1 port 3001 (it also works
for port 7001). This will put you on vty 4. You login and the router executes
the autocommand. Then you just telnet back to the router normally (port 23).
Also you could create more vty's depending on your IOS feature set.

Use the command "autocommand access-enable host timeout 5" and not
"autocommand access-enable timeout 5". You're opening up a big hole in your
network without the "host" option.

Brian Dennis, CCIE #2210 (R&S)(ISP/Dial)

On Sunday 03 February 2002 05:31 am, atul pawar wrote:
> Hi Guyes
> I am tesing a lock and key config but not able to get it working.
> I want to allow Telnet access to 170.100.1.1 (which is a loopback interface
> on router TS) from any host using Lock and key . TS is talking BGP to R1
> via ethernet. When I telnet from R1 to TS it asks me for the username
> ;accepts the password and drops the connection as expected. Then again when
> telnet from R1 to TS ie To 170.100.1.1 it asks me for username and password
> and follwing happens
>
>
> r1#telnet 170.100.1.1
> Trying 170.100.1.1 ... Open
>
>
> User Access Verification
>
> Username:atul
> Password:
> List#130-firewall already contains this IP address pair
> [Connection to 170.100.1.1 closed by foreign host]
>
> Following are the configs for TS and R1
> ts#
>
> !
> interface Loopback5
> ip address 170.100.1.1 255.255.0.0
> no ip directed-broadcast
> !
> interface Ethernet0
> ip address 172.17.59.19 255.255.255.240
> ip access-group 130 in
> no ip mroute-cache
> no cdp enable
> !
> ip classless
> access-list 130 permit tcp any any eq bgp
> access-list 130 dynamic firewall timeout 100 permit ip any any
> access-list 130 permit tcp any host 170.100.1.1 eq telnet
> !
> line vty 0 4
> login local
> autocommand access-enable timeout 5
>
>
> Any help to get this working would be great
> Regards,
> Atul
>
>
>
>
>
>
>
>
>
> Atul
>
>

• Next message: Carolyn Camarda: "Re: lock and key access list problem"
• Previous message: tom cheung: "RE: lock and key access list problem"
• Maybe in reply to: atul pawar: "lock and key access list problem"
• Next in thread: Carolyn Camarda: "Re: lock and key access list problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:10 GMT-3