Re: lock and key access list problem

From: Brian Dennis (brian@xxxxxx)
Date: Sun Feb 03 2002 - 14:19:36 GMT-3

• Next message: Stephen Oliver: "SR/TLB"
• Previous message: John Neiberger: "Re: Frame intf dce"
• Maybe in reply to: atul pawar: "lock and key access list problem"
• Next in thread: Jaeheon Yoo: "Re: lock and key access list problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Carolyn,
That's why I put the autocommand under a vty line that was answering to a TCP
high port like 3001. In the real world you would have something like this.

!
aaa new-model
aaa authentication login default group tacacs+ line
aaa authentication login line group tacacs+ line
aaa authentication login vpdn_user tacacs+ line
!
access-list 100 deny tcp any any eq telnet
access-list 100 permit tcp any any eq 3005
!
!
line vty 0 9
 login authentication vpdn_users
 autocommand access-enable host timeout 5
line 10 15
 access-class 100 in
 rotary 5
 login authentication line

Also now the regular users telneting to port 23 can't even get to vty 10
through 15.

Nothing againist the local login method but it doesn't scale in the real
world. Works great in a classroom or small network but try having 1000's of
users. I actually used this config for a site where I didn't have access to
change anything in the TACACS+ server. Another good method would have been to
just do the autocommand via TACACS+.

Brian Dennis, CCIE #2210 (R&S)(ISP/Dial)

On Sunday 03 February 2002 08:20 am, Carolyn Camarda wrote:
> As a side note to this...
>
> I typically don't put autocommand under the vty config. Doing this will
> never allow you to telnet to the firewall router (such is the side-effect
> Atul is having) sourced through the interface tied to the access-group.
>
> Instead, I add autocommand to the username. This way you can use one
> username for maintenance on the router and one for the firewall. I was
> showed this in ECP1.
>
> Associated config:
>
> userna Test pass cisco
> userna Test autocommand access-enabl time 5
> userna Test2 pass cisco
>
> line vty 0 4
> login local
>
> Good point on including host in the timeout statement - thanks.
>
> Carolyn.
>
> ----- Original Message -----
> From: "Brian Dennis" <brian@5g.net>
> To: "atul pawar" <atulpawar@hotmail.com>; <ccielab@groupstudy.com>
> Sent: Sunday, February 03, 2002 9:07 x
> Subject: Re: lock and key access list problem
>
> > This is suppose to happen. You have the autocommand under the vty's.
> > Everytime you telnet to the router and login, it is going to execute the
> > autocommand. What you need to do is telnet to a vty that doesn't have the
> > autocommand configured.
> >
> > Here's an example:
> >
> > access-list 130 permit tcp any any eq bgp
> > access-list 130 dynamic firewall timeout 100 permit ip any any
> > access-list 130 permit tcp any host 170.100.1.1 eq 3001
> >
> > line vty 0 3
> > login local
> > line vty 4
> > rotary 1
> > login local
> > autocommand access-enable timeout 5
> >
> > When you want to authenticate, telnet to 170.100.1.1 port 3001 (it also
>
> works
>
> > for port 7001). This will put you on vty 4. You login and the router
>
> executes
>
> > the autocommand. Then you just telnet back to the router normally (port
>
> 23).
>
> > Also you could create more vty's depending on your IOS feature set.
> >
> > Use the command "autocommand access-enable host timeout 5" and not
> > "autocommand access-enable timeout 5". You're opening up a big hole in
>
> your
>
> > network without the "host" option.
> >
> > Brian Dennis, CCIE #2210 (R&S)(ISP/Dial)
> >
> > On Sunday 03 February 2002 05:31 am, atul pawar wrote:
> > > Hi Guyes
> > > I am tesing a lock and key config but not able to get it working.
> > > I want to allow Telnet access to 170.100.1.1 (which is a loopback
>
> interface
>
> > > on router TS) from any host using Lock and key . TS is talking BGP to
> > > R1 via ethernet. When I telnet from R1 to TS it asks me for the
> > > username ;accepts the password and drops the connection as expected.
> > > Then again
>
> when
>
> > > telnet from R1 to TS ie To 170.100.1.1 it asks me for username and
>
> password
>
> > > and follwing happens
> > >
> > >
> > > r1#telnet 170.100.1.1
> > > Trying 170.100.1.1 ... Open
> > >
> > >
> > > User Access Verification
> > >
> > > Username:atul
> > > Password:
> > > List#130-firewall already contains this IP address pair
> > > [Connection to 170.100.1.1 closed by foreign host]
> > >
> > > Following are the configs for TS and R1
> > > ts#
> > >
> > > !
> > > interface Loopback5
> > > ip address 170.100.1.1 255.255.0.0
> > > no ip directed-broadcast
> > > !
> > > interface Ethernet0
> > > ip address 172.17.59.19 255.255.255.240
> > > ip access-group 130 in
> > > no ip mroute-cache
> > > no cdp enable
> > > !
> > > ip classless
> > > access-list 130 permit tcp any any eq bgp
> > > access-list 130 dynamic firewall timeout 100 permit ip any any
> > > access-list 130 permit tcp any host 170.100.1.1 eq telnet
> > > !
> > > line vty 0 4
> > > login local
> > > autocommand access-enable timeout 5
> > >
> > >
> > > Any help to get this working would be great
> > > Regards,
> > > Atul
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Atul
> > >
> > >

• Next message: Stephen Oliver: "SR/TLB"
• Previous message: John Neiberger: "Re: Frame intf dce"
• Maybe in reply to: atul pawar: "lock and key access list problem"
• Next in thread: Jaeheon Yoo: "Re: lock and key access list problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:10 GMT-3