From: Lupi, Guy (Guy.Lupi@xxxxxxxxxxxxx)
Date: Thu Apr 18 2002 - 11:52:40 GMT-3
This brings up another question. I remember reading somewhere that there is
a command you can give on the autocommand or on the username password that
will keep the user logged in to the telnet session instead of kicking them
out immediately. Does anyone know how to do this?
~-----Original Message-----
~From: Lupi, Guy
~Sent: Thursday, April 18, 2002 10:11 AM
~To: 'Hansang Bae'; ccielab@groupstudy.com
~Subject: RE: Question about Lock and Key ACLs
~
~
~You can also do this in a different way. If you specify 2
~usernames and
~passwords, only giving one the autocommand function, then you
~will be able
~to use one username and password for regular telnet, and one
~username and
~password for the dynamic acl. Just figured I would throw it out there.
~
~~-----Original Message-----
~~From: Hansang Bae [mailto:hbae@nyc.rr.com]
~~Sent: Wednesday, April 17, 2002 8:37 PM
~~To: ccielab@groupstudy.com
~~Subject: Re: Question about Lock and Key ACLs
~~
~~
~~At 03:10 PM 4/17/2002 -0700, Jaspreet Bhatia wrote:
~~>[snip: Lock and Key]
~~>Now my questions is that is this the only method to do this .
~~It does not look like a very foolproof method to me . Is there
~~a better method of implementing lock and key ACL on a router
~~and allowing telnet access to it too at the same time .
~~
~~
~~See the last paragraph.
~~
~~hsb
~~
~~
~~
~~From: Question 48
~~Date: 02 February 2002
~~Subject: How do I setup Lock & Key ACL? Or punch temporary
~holes in my
~~ ACL if someone authenticates to my router?
~~Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
~~
~~
~~username foobar password cisco
~~!
~~int s0
~~ ip address 1.1.1.1 255.255.0.0
~~ ip access-group 101 in
~~! /* or port 22 for ssh */
~~access-list 101 permit tcp any host 1.1.1.1 eq telnet
~~access-list 101 dynamic foobar permit ip any any
~~!
~~line vty 0 2
~~ login local
~~ autocommand access-enable host timeout 5
~~line vty 3 4
~~ login local
~~ rotary 1
~~
~~The first access list allows telnet into the router. Your users will
~~telnet into router and authenticate with username foobar and password
~~"cisco"
~~
~~The router will then immediately disconnect the telnet session. When
~~they successfully authenticate, an access list with their
~~source IP will
~~be added to the dynamic list. Basically, if they authenticate
~~correctly,
~~they can come in to the inside network. After 5 mins of
~inactivty the
~~entry will be deleted from the access list.
~~
~~The vty 3 and 4 are using the rotary command so that you can
~telnet to
~~your router with the command: "telnet 1.1.1.1 3001" This
~~takes you to
~~vty 3 (or 4). This way, you can telnet into the router and actually
~~manage it. A very subtle but VERY important point. If you
~~forget this,
~~you'll be making a trip to use the console port.
~~
~~
~~***************************************************************
~~***********
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:12 GMT-3