From: tom cheung (tkc9789@xxxxxxxxxxx)
Date: Thu Apr 18 2002 - 13:45:17 GMT-3
It is 'access-enable'.
>From: "Lupi, Guy" <Guy.Lupi@eurekaggn.com>
>Reply-To: "Lupi, Guy" <Guy.Lupi@eurekaggn.com>
>To: "Lupi, Guy" <Guy.Lupi@eurekaggn.com>, "'Hansang Bae'"
><hbae@nyc.rr.com>, ccielab@groupstudy.com
>Subject: RE: Question about Lock and Key ACLs
>Date: Thu, 18 Apr 2002 10:52:40 -0400
>
>This brings up another question. I remember reading somewhere that there
>is
>a command you can give on the autocommand or on the username password that
>will keep the user logged in to the telnet session instead of kicking them
>out immediately. Does anyone know how to do this?
>
>~-----Original Message-----
>~From: Lupi, Guy
>~Sent: Thursday, April 18, 2002 10:11 AM
>~To: 'Hansang Bae'; ccielab@groupstudy.com
>~Subject: RE: Question about Lock and Key ACLs
>~
>~
>~You can also do this in a different way. If you specify 2
>~usernames and
>~passwords, only giving one the autocommand function, then you
>~will be able
>~to use one username and password for regular telnet, and one
>~username and
>~password for the dynamic acl. Just figured I would throw it out there.
>~
>~~-----Original Message-----
>~~From: Hansang Bae [mailto:hbae@nyc.rr.com]
>~~Sent: Wednesday, April 17, 2002 8:37 PM
>~~To: ccielab@groupstudy.com
>~~Subject: Re: Question about Lock and Key ACLs
>~~
>~~
>~~At 03:10 PM 4/17/2002 -0700, Jaspreet Bhatia wrote:
>~~>[snip: Lock and Key]
>~~>Now my questions is that is this the only method to do this .
>~~It does not look like a very foolproof method to me . Is there
>~~a better method of implementing lock and key ACL on a router
>~~and allowing telnet access to it too at the same time .
>~~
>~~
>~~See the last paragraph.
>~~
>~~hsb
>~~
>~~
>~~
>~~From: Question 48
>~~Date: 02 February 2002
>~~Subject: How do I setup Lock & Key ACL? Or punch temporary
>~holes in my
>~~ ACL if someone authenticates to my router?
>~~Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
>~~
>~~
>~~username foobar password cisco
>~~!
>~~int s0
>~~ ip address 1.1.1.1 255.255.0.0
>~~ ip access-group 101 in
>~~! /* or port 22 for ssh */
>~~access-list 101 permit tcp any host 1.1.1.1 eq telnet
>~~access-list 101 dynamic foobar permit ip any any
>~~!
>~~line vty 0 2
>~~ login local
>~~ autocommand access-enable host timeout 5
>~~line vty 3 4
>~~ login local
>~~ rotary 1
>~~
>~~The first access list allows telnet into the router. Your users will
>~~telnet into router and authenticate with username foobar and password
>~~"cisco"
>~~
>~~The router will then immediately disconnect the telnet session. When
>~~they successfully authenticate, an access list with their
>~~source IP will
>~~be added to the dynamic list. Basically, if they authenticate
>~~correctly,
>~~they can come in to the inside network. After 5 mins of
>~inactivty the
>~~entry will be deleted from the access list.
>~~
>~~The vty 3 and 4 are using the rotary command so that you can
>~telnet to
>~~your router with the command: "telnet 1.1.1.1 3001" This
>~~takes you to
>~~vty 3 (or 4). This way, you can telnet into the router and actually
>~~manage it. A very subtle but VERY important point. If you
>~~forget this,
>~~you'll be making a trip to use the console port.
>~~
>~~
>~~***************************************************************
>~~***********
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:12 GMT-3