From: Brian Dennis (brian@xxxxxx)
Date: Sun Feb 03 2002 - 16:31:30 GMT-3
Yes, with10 simultaneous/concurrent connections, the 11th user to telnet to
the router (port 23) would hit vty 10 even though it's also assigned to a
rotary but it looks like the new queuing option will change this behavior.
Brian Dennis, CCIE #2210 (R&S)(ISP/Dial)
On Sunday 03 February 2002 10:25 am, Jaeheon Yoo wrote:
> Brian,
> What if you omit 'access-class 100 in' statement?
> Are vty 10-15 available both via port 23 and via port 3005 in that case?
>
> Anyway, I've found a related link for this interesting feature;
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/12
>1t/121t1/dtasyncq.htm#71460
>
> Jaeheon
>
> ----- Original Message -----
> From: "Brian Dennis" <brian@5g.net>
> To: <ccielab@groupstudy.com>
> Sent: Monday, February 04, 2002 2:19 AM
> Subject: Re: lock and key access list problem
>
> > Carolyn,
> > That's why I put the autocommand under a vty line that was answering to a
> > TCP high port like 3001. In the real world you would have something like
> > this.
> >
> > !
> > aaa new-model
> > aaa authentication login default group tacacs+ line
> > aaa authentication login line group tacacs+ line
> > aaa authentication login vpdn_user tacacs+ line
> > !
> > access-list 100 deny tcp any any eq telnet
> > access-list 100 permit tcp any any eq 3005
> > !
> > !
> > line vty 0 9
> > login authentication vpdn_users
> > autocommand access-enable host timeout 5
> > line 10 15
> > access-class 100 in
> > rotary 5
> > login authentication line
> >
> >
> > Also now the regular users telneting to port 23 can't even get to vty 10
> > through 15.
> >
> > Nothing againist the local login method but it doesn't scale in the real
> > world. Works great in a classroom or small network but try having 1000's
> > of users. I actually used this config for a site where I didn't have
> > access to change anything in the TACACS+ server. Another good method
> > would have been to just do the autocommand via TACACS+.
> >
> > Brian Dennis, CCIE #2210 (R&S)(ISP/Dial)
> >
> > On Sunday 03 February 2002 08:20 am, Carolyn Camarda wrote:
> > > As a side note to this...
> > >
> > > I typically don't put autocommand under the vty config. Doing this
> > > will never allow you to telnet to the firewall router (such is the
> > > side-effect Atul is having) sourced through the interface tied to the
> > > access-group.
> > >
> > > Instead, I add autocommand to the username. This way you can use one
> > > username for maintenance on the router and one for the firewall. I was
> > > showed this in ECP1.
> > >
> > > Associated config:
> > >
> > > userna Test pass cisco
> > > userna Test autocommand access-enabl time 5
> > > userna Test2 pass cisco
> > >
> > > line vty 0 4
> > > login local
> > >
> > > Good point on including host in the timeout statement - thanks.
> > >
> > > Carolyn.
> > >
> > > ----- Original Message -----
> > > From: "Brian Dennis" <brian@5g.net>
> > > To: "atul pawar" <atulpawar@hotmail.com>; <ccielab@groupstudy.com>
> > > Sent: Sunday, February 03, 2002 9:07 x
> > > Subject: Re: lock and key access list problem
> > >
> > > > This is suppose to happen. You have the autocommand under the vty's.
> > > > Everytime you telnet to the router and login, it is going to execute
> > > > the autocommand. What you need to do is telnet to a vty that doesn't
> > > > have the autocommand configured.
> > > >
> > > > Here's an example:
> > > >
> > > > access-list 130 permit tcp any any eq bgp
> > > > access-list 130 dynamic firewall timeout 100 permit ip any any
> > > > access-list 130 permit tcp any host 170.100.1.1 eq 3001
> > > >
> > > > line vty 0 3
> > > > login local
> > > > line vty 4
> > > > rotary 1
> > > > login local
> > > > autocommand access-enable timeout 5
> > > >
> > > > When you want to authenticate, telnet to 170.100.1.1 port 3001 (it
> > > > also
> > >
> > > works
> > >
> > > > for port 7001). This will put you on vty 4. You login and the router
> > >
> > > executes
> > >
> > > > the autocommand. Then you just telnet back to the router normally
> > > > (port
> > >
> > > 23).
> > >
> > > > Also you could create more vty's depending on your IOS feature set.
> > > >
> > > > Use the command "autocommand access-enable host timeout 5" and not
> > > > "autocommand access-enable timeout 5". You're opening up a big hole
> > > > in
> > >
> > > your
> > >
> > > > network without the "host" option.
> > > >
> > > > Brian Dennis, CCIE #2210 (R&S)(ISP/Dial)
> > > >
> > > > On Sunday 03 February 2002 05:31 am, atul pawar wrote:
> > > > > Hi Guyes
> > > > > I am tesing a lock and key config but not able to get it working.
> > > > > I want to allow Telnet access to 170.100.1.1 (which is a loopback
> > >
> > > interface
> > >
> > > > > on router TS) from any host using Lock and key . TS is talking BGP
> > > > > to R1 via ethernet. When I telnet from R1 to TS it asks me for the
> > > > > username ;accepts the password and drops the connection as
> > > > > expected. Then again
> > >
> > > when
> > >
> > > > > telnet from R1 to TS ie To 170.100.1.1 it asks me for username and
> > >
> > > password
> > >
> > > > > and follwing happens
> > > > >
> > > > >
> > > > > r1#telnet 170.100.1.1
> > > > > Trying 170.100.1.1 ... Open
> > > > >
> > > > >
> > > > > User Access Verification
> > > > >
> > > > > Username:atul
> > > > > Password:
> > > > > List#130-firewall already contains this IP address pair
> > > > > [Connection to 170.100.1.1 closed by foreign host]
> > > > >
> > > > > Following are the configs for TS and R1
> > > > > ts#
> > > > >
> > > > > !
> > > > > interface Loopback5
> > > > > ip address 170.100.1.1 255.255.0.0
> > > > > no ip directed-broadcast
> > > > > !
> > > > > interface Ethernet0
> > > > > ip address 172.17.59.19 255.255.255.240
> > > > > ip access-group 130 in
> > > > > no ip mroute-cache
> > > > > no cdp enable
> > > > > !
> > > > > ip classless
> > > > > access-list 130 permit tcp any any eq bgp
> > > > > access-list 130 dynamic firewall timeout 100 permit ip any any
> > > > > access-list 130 permit tcp any host 170.100.1.1 eq telnet
> > > > > !
> > > > > line vty 0 4
> > > > > login local
> > > > > autocommand access-enable timeout 5
> > > > >
> > > > >
> > > > > Any help to get this working would be great
> > > > > Regards,
> > > > > Atul
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Atul
> > > > >
> > > > >
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:10 GMT-3