RE: Question about Lock and Key ACLs

From: Lupi, Guy (Guy.Lupi@xxxxxxxxxxxxx)
Date: Thu Apr 18 2002 - 11:11:19 GMT-3

• Next message: DAN DORTON: "RE: bitflipping in dlsw - when?"
• Previous message: Lupi, Guy: "RE: bitflipping in dlsw - when?"
• Maybe in reply to: Jaspreet Bhatia: "Question about Lock and Key ACLs"
• Next in thread: Lupi, Guy: "RE: Question about Lock and Key ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
You can also do this in a different way. If you specify 2 usernames and
passwords, only giving one the autocommand function, then you will be able
to use one username and password for regular telnet, and one username and
password for the dynamic acl. Just figured I would throw it out there.

~-----Original Message-----
~From: Hansang Bae [mailto:hbae@nyc.rr.com]
~Sent: Wednesday, April 17, 2002 8:37 PM
~To: ccielab@groupstudy.com
~Subject: Re: Question about Lock and Key ACLs
~
~
~At 03:10 PM 4/17/2002 -0700, Jaspreet Bhatia wrote:
~>[snip: Lock and Key]
~>Now my questions is that is this the only method to do this .
~It does not look like a very foolproof method to me . Is there
~a better method of implementing lock and key ACL on a router
~and allowing telnet access to it too at the same time .
~
~
~See the last paragraph.
~
~hsb
~
~
~
~From: Question 48
~Date: 02 February 2002
~Subject: How do I setup Lock & Key ACL? Or punch temporary holes in my
~ ACL if someone authenticates to my router?
~Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
~
~
~username foobar password cisco
~!
~int s0
~ ip address 1.1.1.1 255.255.0.0
~ ip access-group 101 in
~! /* or port 22 for ssh */
~access-list 101 permit tcp any host 1.1.1.1 eq telnet
~access-list 101 dynamic foobar permit ip any any
~!
~line vty 0 2
~ login local
~ autocommand access-enable host timeout 5
~line vty 3 4
~ login local
~ rotary 1
~
~The first access list allows telnet into the router. Your users will
~telnet into router and authenticate with username foobar and password
~"cisco"
~
~The router will then immediately disconnect the telnet session. When
~they successfully authenticate, an access list with their
~source IP will
~be added to the dynamic list. Basically, if they authenticate
~correctly,
~they can come in to the inside network. After 5 mins of inactivty the
~entry will be deleted from the access list.
~
~The vty 3 and 4 are using the rotary command so that you can telnet to
~your router with the command: "telnet 1.1.1.1 3001" This
~takes you to
~vty 3 (or 4). This way, you can telnet into the router and actually
~manage it. A very subtle but VERY important point. If you
~forget this,
~you'll be making a trip to use the console port.
~
~
~***************************************************************
~***********

• Next message: DAN DORTON: "RE: bitflipping in dlsw - when?"
• Previous message: Lupi, Guy: "RE: bitflipping in dlsw - when?"
• Maybe in reply to: Jaspreet Bhatia: "Question about Lock and Key ACLs"
• Next in thread: Lupi, Guy: "RE: Question about Lock and Key ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:12 GMT-3