Re: lock and key access list problem

From: Jaeheon Yoo (kghost@xxxxxxxxxxxx)
Date: Sun Feb 03 2002 - 15:25:47 GMT-3

   
Brian,
What if you omit 'access-class 100 in' statement?
Are vty 10-15 available both via port 23 and via port 3005 in that case?

Anyway, I've found a related link for this interesting feature;
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/1
21t1/dtasyncq.htm#71460

Jaeheon

----- Original Message -----
From: "Brian Dennis" <brian@5g.net>
To: <ccielab@groupstudy.com>
Sent: Monday, February 04, 2002 2:19 AM
Subject: Re: lock and key access list problem

>
> Carolyn,
> That's why I put the autocommand under a vty line that was answering to a TCP

> high port like 3001. In the real world you would have something like this.
>
> !
> aaa new-model
> aaa authentication login default group tacacs+ line
> aaa authentication login line group tacacs+ line
> aaa authentication login vpdn_user tacacs+ line
> !
> access-list 100 deny tcp any any eq telnet
> access-list 100 permit tcp any any eq 3005
> !
> !
> line vty 0 9
> login authentication vpdn_users
> autocommand access-enable host timeout 5
> line 10 15
> access-class 100 in
> rotary 5
> login authentication line
>
>
> Also now the regular users telneting to port 23 can't even get to vty 10
> through 15.
>
> Nothing againist the local login method but it doesn't scale in the real
> world. Works great in a classroom or small network but try having 1000's of
> users. I actually used this config for a site where I didn't have access to
> change anything in the TACACS+ server. Another good method would have been to

> just do the autocommand via TACACS+.
>
> Brian Dennis, CCIE #2210 (R&S)(ISP/Dial)
>
>
>
> On Sunday 03 February 2002 08:20 am, Carolyn Camarda wrote:
> > As a side note to this...
> >
> > I typically don't put autocommand under the vty config. Doing this will
> > never allow you to telnet to the firewall router (such is the side-effect
> > Atul is having) sourced through the interface tied to the access-group.
> >
> > Instead, I add autocommand to the username. This way you can use one
> > username for maintenance on the router and one for the firewall. I was
> > showed this in ECP1.
> >
> > Associated config:
> >
> > userna Test pass cisco
> > userna Test autocommand access-enabl time 5
> > userna Test2 pass cisco
> >
> > line vty 0 4
> > login local
> >
> > Good point on including host in the timeout statement - thanks.
> >
> > Carolyn.
> >
> > ----- Original Message -----
> > From: "Brian Dennis" <brian@5g.net>
> > To: "atul pawar" <atulpawar@hotmail.com>; <ccielab@groupstudy.com>
> > Sent: Sunday, February 03, 2002 9:07 x
> > Subject: Re: lock and key access list problem
> >
> > > This is suppose to happen. You have the autocommand under the vty's.
> > > Everytime you telnet to the router and login, it is going to execute the
> > > autocommand. What you need to do is telnet to a vty that doesn't have the
> > > autocommand configured.
> > >
> > > Here's an example:
> > >
> > > access-list 130 permit tcp any any eq bgp
> > > access-list 130 dynamic firewall timeout 100 permit ip any any
> > > access-list 130 permit tcp any host 170.100.1.1 eq 3001
> > >
> > > line vty 0 3
> > > login local
> > > line vty 4
> > > rotary 1
> > > login local
> > > autocommand access-enable timeout 5
> > >
> > > When you want to authenticate, telnet to 170.100.1.1 port 3001 (it also
> >
> > works
> >
> > > for port 7001). This will put you on vty 4. You login and the router
> >
> > executes
> >
> > > the autocommand. Then you just telnet back to the router normally (port
> >
> > 23).
> >
> > > Also you could create more vty's depending on your IOS feature set.
> > >
> > > Use the command "autocommand access-enable host timeout 5" and not
> > > "autocommand access-enable timeout 5". You're opening up a big hole in
> >
> > your
> >
> > > network without the "host" option.
> > >
> > > Brian Dennis, CCIE #2210 (R&S)(ISP/Dial)
> > >
> > > On Sunday 03 February 2002 05:31 am, atul pawar wrote:
> > > > Hi Guyes
> > > > I am tesing a lock and key config but not able to get it working.
> > > > I want to allow Telnet access to 170.100.1.1 (which is a loopback
> >
> > interface
> >
> > > > on router TS) from any host using Lock and key . TS is talking BGP to
> > > > R1 via ethernet. When I telnet from R1 to TS it asks me for the
> > > > username ;accepts the password and drops the connection as expected.
> > > > Then again
> >
> > when
> >
> > > > telnet from R1 to TS ie To 170.100.1.1 it asks me for username and
> >
> > password
> >
> > > > and follwing happens
> > > >
> > > >
> > > > r1#telnet 170.100.1.1
> > > > Trying 170.100.1.1 ... Open
> > > >
> > > >
> > > > User Access Verification
> > > >
> > > > Username:atul
> > > > Password:
> > > > List#130-firewall already contains this IP address pair
> > > > [Connection to 170.100.1.1 closed by foreign host]
> > > >
> > > > Following are the configs for TS and R1
> > > > ts#
> > > >
> > > > !
> > > > interface Loopback5
> > > > ip address 170.100.1.1 255.255.0.0
> > > > no ip directed-broadcast
> > > > !
> > > > interface Ethernet0
> > > > ip address 172.17.59.19 255.255.255.240
> > > > ip access-group 130 in
> > > > no ip mroute-cache
> > > > no cdp enable
> > > > !
> > > > ip classless
> > > > access-list 130 permit tcp any any eq bgp
> > > > access-list 130 dynamic firewall timeout 100 permit ip any any
> > > > access-list 130 permit tcp any host 170.100.1.1 eq telnet
> > > > !
> > > > line vty 0 4
> > > > login local
> > > > autocommand access-enable timeout 5
> > > >
> > > >
> > > > Any help to get this working would be great
> > > > Regards,
> > > > Atul
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Atul
> > > >
> > > >

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:10 GMT-3