From: Carolyn Camarda (ccamarda@xxxxxxxxxxxxx)
Date: Sun Feb 03 2002 - 13:20:05 GMT-3
As a side note to this...
I typically don't put autocommand under the vty config. Doing this will
never allow you to telnet to the firewall router (such is the side-effect
Atul is having) sourced through the interface tied to the access-group.
Instead, I add autocommand to the username. This way you can use one
username for maintenance on the router and one for the firewall. I was
showed this in ECP1.
Associated config:
userna Test pass cisco
userna Test autocommand access-enabl time 5
userna Test2 pass cisco
line vty 0 4
login local
Good point on including host in the timeout statement - thanks.
Carolyn.
----- Original Message -----
From: "Brian Dennis" <brian@5g.net>
To: "atul pawar" <atulpawar@hotmail.com>; <ccielab@groupstudy.com>
Sent: Sunday, February 03, 2002 9:07 x
Subject: Re: lock and key access list problem
> This is suppose to happen. You have the autocommand under the vty's.
> Everytime you telnet to the router and login, it is going to execute the
> autocommand. What you need to do is telnet to a vty that doesn't have the
> autocommand configured.
>
> Here's an example:
>
> access-list 130 permit tcp any any eq bgp
> access-list 130 dynamic firewall timeout 100 permit ip any any
> access-list 130 permit tcp any host 170.100.1.1 eq 3001
>
> line vty 0 3
> login local
> line vty 4
> rotary 1
> login local
> autocommand access-enable timeout 5
>
> When you want to authenticate, telnet to 170.100.1.1 port 3001 (it also
works
> for port 7001). This will put you on vty 4. You login and the router
executes
> the autocommand. Then you just telnet back to the router normally (port
23).
> Also you could create more vty's depending on your IOS feature set.
>
> Use the command "autocommand access-enable host timeout 5" and not
> "autocommand access-enable timeout 5". You're opening up a big hole in
your
> network without the "host" option.
>
> Brian Dennis, CCIE #2210 (R&S)(ISP/Dial)
>
>
> On Sunday 03 February 2002 05:31 am, atul pawar wrote:
> > Hi Guyes
> > I am tesing a lock and key config but not able to get it working.
> > I want to allow Telnet access to 170.100.1.1 (which is a loopback
interface
> > on router TS) from any host using Lock and key . TS is talking BGP to R1
> > via ethernet. When I telnet from R1 to TS it asks me for the username
> > ;accepts the password and drops the connection as expected. Then again
when
> > telnet from R1 to TS ie To 170.100.1.1 it asks me for username and
password
> > and follwing happens
> >
> >
> > r1#telnet 170.100.1.1
> > Trying 170.100.1.1 ... Open
> >
> >
> > User Access Verification
> >
> > Username:atul
> > Password:
> > List#130-firewall already contains this IP address pair
> > [Connection to 170.100.1.1 closed by foreign host]
> >
> > Following are the configs for TS and R1
> > ts#
> >
> > !
> > interface Loopback5
> > ip address 170.100.1.1 255.255.0.0
> > no ip directed-broadcast
> > !
> > interface Ethernet0
> > ip address 172.17.59.19 255.255.255.240
> > ip access-group 130 in
> > no ip mroute-cache
> > no cdp enable
> > !
> > ip classless
> > access-list 130 permit tcp any any eq bgp
> > access-list 130 dynamic firewall timeout 100 permit ip any any
> > access-list 130 permit tcp any host 170.100.1.1 eq telnet
> > !
> > line vty 0 4
> > login local
> > autocommand access-enable timeout 5
> >
> >
> > Any help to get this working would be great
> > Regards,
> > Atul
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Atul
> >
> >
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:10 GMT-3