From: ccie_studying (ccie_studying@hotmail.com)
Date: Sun Apr 06 2003 - 22:30:25 GMT-3
I believe that you need to put auto command under line vty .
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
ur_c/ftrafwl/scflock.htm#1001165
----- Original Message -----
From: "Jason Cash" <cash2001@swbell.net>
To: <ccielab@groupstudy.com>
Sent: Sunday, April 06, 2003 7:57 PM
Subject: Lock and Key - not working
> I am having difficulty in config'ing lock and key security. I keep
> getting this error:
>
> 3550#telnet 172.168.60.1
> Trying 172.168.60.1 ... Open
>
>
> User Access Verification
>
> Username: ccie
> Password:
> List#106-telnet already contains this IP address pair
> [Connection to 172.168.60.1 closed by foreign host]
>
> The requirement is: Allow telnet access to hosts on R6's Ethernet
> segment is someone firsts authenticates against R6 via telnet. It
> should be simply, but the archive here left the question open. Here is
> the config:
>
> R6
> hostname r6
> !
> !
> username ccie password 0 cisco
> username ccie autocommand access-enable HOST timeout 5
> !
> ip subnet-zero
> no ip domain-lookup
> !
> interface Ethernet0
> ip address 172.168.60.1 255.255.255.0
> !
> interface Serial1
l> bandwidth 64
> ip address 172.168.100.6 255.255.255.0
> ip access-group 106 in
> encapsulation frame-relay
> ip ospf network point-to-multipoint
> frame-relay interface-dlci 605
> !
> access-list 106 permit tcp any 172.168.60.0 0.0.0.255 eq telnet
> access-list 106 dynamic telnet timeout 5 permit tcp any 172.168.60.0
> 0.0.0.255 eq telnet log
> access-list 106 permit ip any any
> !
> line con 0
> session-timeout 120
> exec-timeout 60 0
> length 30
> line aux 0
> transport input all
> line vty 0 4
> login local
> !
> end
>
>
> Now I have tried just about everything on the dynamic list as wee as to
> auto command such as:
>
> access-list 106 permit tcp any 172.168.60.0 0.0.0.255 eq telnet
> access-list 106 dynamic telnet timeout 5 permit tcp any any
> access-list 106 permit ip any any
>
> username ccie autocommand access-enable timeout 5
>
> Upon logging in, I see the dynamic list created, but it WILL NOT LET ME
> IN:
> r6#sh access-list BEFORE TELNETTING (with host on autocommand)
> Extended IP access list 106
> permit tcp any 172.168.60.0 0.0.0.255 eq telnet (616 matches)
> Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
> permit ip any any (205 matches)
>
> r6#sh access-list AFTER TELNETTING (with host on autocommand)
> Extended IP access list 106
> permit tcp any 172.168.60.0 0.0.0.255 eq telnet (662 matches)
> Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
> permit tcp host 137.50.50.50 172.168.60.0 0.0.0.255 eq telnet log
> permit ip any any (205 matches)
>
>
> r6#sh access-list
> Extended IP access list 106 BEFORE TELNETTING
> permit tcp any 172.168.60.0 0.0.0.255 eq telnet (672 matches)
> Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
> permit ip any any (227 matches)
> r6#sh access-list
> Extended IP access list 106
> permit tcp any 172.168.60.0 0.0.0.255 eq telnet (716 matches)
> Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
> permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
> permit ip any any (227 matches)
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:47 GMT-3