Re: Question about Lock and Key ACLs

From: Jaspreet Bhatia (jasbhati@xxxxxxxxx)
Date: Thu Apr 18 2002 - 13:18:45 GMT-3

• Next message: tom cheung: "RE: Question about Lock and Key ACLs"
• Previous message: thomas larus: "Re: How much did your employer pay?"
• Maybe in reply to: Jaspreet Bhatia: "Question about Lock and Key ACLs"
• Next in thread: tom cheung: "RE: Question about Lock and Key ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hasang,
                       Thanks for your suggestion .I did try it this way as
per the Groupstudy archives and a message by Brian Dennis said the same
thing . But I am getting this message when I try to telnet into the lines
vty 3 or 4

Phoenix1#telnet 170.10.23.1 3001
Trying 170.10.23.1, 3001 ... Open

User Access Verification

Username: jas1
Password:
Password OK

Queued on rotary line group 1.

The rotary line group you attempted to access is full.
You have therefore been placed in a queue for the next
available line in this group.

You may exit the queue by terminating the telnet connection

You are now position 1 in the queue.

  and then the router just hangs there . ANy ideas ?

Jaspreet

At 08:37 PM 4/17/2002 -0400, Hansang Bae wrote:
>At 03:10 PM 4/17/2002 -0700, Jaspreet Bhatia wrote:
> >[snip: Lock and Key]
> >Now my questions is that is this the only method to do this . It does
> not look like a very foolproof method to me . Is there a better method of
> implementing lock and key ACL on a router and allowing telnet access to
> it too at the same time .
>
>
>See the last paragraph.
>
>hsb
>
>
>
>From: Question 48
>Date: 02 February 2002
>Subject: How do I setup Lock & Key ACL? Or punch temporary holes in my
> ACL if someone authenticates to my router?
>Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
>
>
>username foobar password cisco
>!
>int s0
> ip address 1.1.1.1 255.255.0.0
> ip access-group 101 in
>! /* or port 22 for ssh */
>access-list 101 permit tcp any host 1.1.1.1 eq telnet
>access-list 101 dynamic foobar permit ip any any
>!
>line vty 0 2
> login local
> autocommand access-enable host timeout 5
>line vty 3 4
> login local
> rotary 1
>
>The first access list allows telnet into the router. Your users will
>telnet into router and authenticate with username foobar and password
>"cisco"
>
>The router will then immediately disconnect the telnet session. When
>they successfully authenticate, an access list with their source IP will
>be added to the dynamic list. Basically, if they authenticate correctly,
>they can come in to the inside network. After 5 mins of inactivty the
>entry will be deleted from the access list.
>
>The vty 3 and 4 are using the rotary command so that you can telnet to
>your router with the command: "telnet 1.1.1.1 3001" This takes you to
>vty 3 (or 4). This way, you can telnet into the router and actually
>manage it. A very subtle but VERY important point. If you forget this,
>you'll be making a trip to use the console port.
>
>
>**************************************************************************

• Next message: tom cheung: "RE: Question about Lock and Key ACLs"
• Previous message: thomas larus: "Re: How much did your employer pay?"
• Maybe in reply to: Jaspreet Bhatia: "Question about Lock and Key ACLs"
• Next in thread: tom cheung: "RE: Question about Lock and Key ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:12 GMT-3