From: Brian Dennis (brian@5g.net)
Date: Sun Apr 06 2003 - 22:15:42 GMT-3
The router is telling you that the dynamic access-list is already
active. You just need to clear it using the "clear access-template"
command. See example below.
Rack1R1#telnet 10.1.1.2
Trying ... Open
User Access Verification
Password:
[Connection closed by foreign host]
Rack1R1#telnet 10.1.1.2
Trying ... Open
User Access Verification
Password:
List#100-LandK already contains this IP address pair
[Connection closed by foreign host]
Rack1R1#
Rack1AS#2
[Resuming connection 2 to r2 ... ]
Rack1R2#sho access-list
Extended IP access list 100
permit tcp any any eq telnet (124 matches)
Dynamic LandK permit icmp any any
permit icmp host 10.1.1.1 any (time left 282)
Rack1R2#clear access-template 100 LandK host 10.1.1.1 any
Rack1R2#
Rack1AS#1
[Resuming connection 1 to r1 ... ]
Rack1R1#telnet 10.1.1.2
Trying ... Open
User Access Verification
Password:
[Connection closed by foreign host]
Rack1R1#
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
Director of CCIE Training and Development - IPexpert, Inc.
Mailto: brian@ipexpert.net
Toll Free: 866.225.8064
Outside U.S. & Canada: 312.321.6924
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jason Cash
Sent: Sunday, April 06, 2003 4:58 PM
To: ccielab@groupstudy.com
Subject: Lock and Key - not working
I am having difficulty in config'ing lock and key security. I keep
getting this error:
3550#telnet 172.168.60.1
Trying 172.168.60.1 ... Open
User Access Verification
Username: ccie
Password:
List#106-telnet already contains this IP address pair
[Connection to 172.168.60.1 closed by foreign host]
The requirement is: Allow telnet access to hosts on R6's Ethernet
segment is someone firsts authenticates against R6 via telnet. It
should be simply, but the archive here left the question open. Here is
the config:
R6
hostname r6
!
!
username ccie password 0 cisco
username ccie autocommand access-enable HOST timeout 5
!
ip subnet-zero
no ip domain-lookup
!
interface Ethernet0
ip address 172.168.60.1 255.255.255.0
!
interface Serial1
bandwidth 64
ip address 172.168.100.6 255.255.255.0
ip access-group 106 in
encapsulation frame-relay
ip ospf network point-to-multipoint
frame-relay interface-dlci 605
!
access-list 106 permit tcp any 172.168.60.0 0.0.0.255 eq telnet
access-list 106 dynamic telnet timeout 5 permit tcp any 172.168.60.0
0.0.0.255 eq telnet log
access-list 106 permit ip any any
!
line con 0
session-timeout 120
exec-timeout 60 0
length 30
line aux 0
transport input all
line vty 0 4
login local
!
end
Now I have tried just about everything on the dynamic list as wee as to
auto command such as:
access-list 106 permit tcp any 172.168.60.0 0.0.0.255 eq telnet
access-list 106 dynamic telnet timeout 5 permit tcp any any
access-list 106 permit ip any any
username ccie autocommand access-enable timeout 5
Upon logging in, I see the dynamic list created, but it WILL NOT LET ME
IN:
r6#sh access-list BEFORE TELNETTING (with host on autocommand)
Extended IP access list 106
permit tcp any 172.168.60.0 0.0.0.255 eq telnet (616 matches)
Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
permit ip any any (205 matches)
r6#sh access-list AFTER TELNETTING (with host on autocommand)
Extended IP access list 106
permit tcp any 172.168.60.0 0.0.0.255 eq telnet (662 matches)
Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
permit tcp host 137.50.50.50 172.168.60.0 0.0.0.255 eq telnet log
permit ip any any (205 matches)
r6#sh access-list
Extended IP access list 106 BEFORE TELNETTING
permit tcp any 172.168.60.0 0.0.0.255 eq telnet (672 matches)
Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
permit ip any any (227 matches)
r6#sh access-list
Extended IP access list 106
permit tcp any 172.168.60.0 0.0.0.255 eq telnet (716 matches)
Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
permit ip any any (227 matches)
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:47 GMT-3