From: Jason Cash (cash2001@swbell.net)
Date: Sun Apr 06 2003 - 23:53:13 GMT-3
Well, I tried every which way! Can you post the working confog with a
captured telnet session working? I can figure it out with the answer,
but I am not sure what is causing it to fail...
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Charles Church
Sent: Sunday, April 06, 2003 8:21 PM
To: Jason Cash; ccielab@groupstudy.com
Subject: RE: Lock and Key - not working
Jason,
You're attempting to grant a dynamic ACL allowing telnet to the
172.168.60/24, but your ACL 106 already permits that. Try setting the
first 106 line to allow telnet to only 172.168.100.6, and then see if it
works. If it doesn't work, you may need to get rid of the permit IP any
any at the end.
Chuck Church
CCIE #8776, MCNE, MCSE
Wam!Net Government Services
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 585-233-2706
cchurch@wamnet.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Jason Cash
Sent: Sunday, April 06, 2003 7:58 PM
To: ccielab@groupstudy.com
Subject: Lock and Key - not working
I am having difficulty in config'ing lock and key security. I keep
getting this error:
3550#telnet 172.168.60.1
Trying 172.168.60.1 ... Open
User Access Verification
Username: ccie
Password:
List#106-telnet already contains this IP address pair [Connection to
172.168.60.1 closed by foreign host]
The requirement is: Allow telnet access to hosts on R6's Ethernet
segment is someone firsts authenticates against R6 via telnet. It
should be simply, but the archive here left the question open. Here is
the config:
R6
hostname r6
!
!
username ccie password 0 cisco
username ccie autocommand access-enable HOST timeout 5
!
ip subnet-zero
no ip domain-lookup
!
interface Ethernet0
ip address 172.168.60.1 255.255.255.0
!
interface Serial1
bandwidth 64
ip address 172.168.100.6 255.255.255.0
ip access-group 106 in
encapsulation frame-relay
ip ospf network point-to-multipoint
frame-relay interface-dlci 605
!
access-list 106 permit tcp any 172.168.60.0 0.0.0.255 eq telnet
access-list 106 dynamic telnet timeout 5 permit tcp any 172.168.60.0
0.0.0.255 eq telnet log access-list 106 permit ip any any ! line con 0
session-timeout 120 exec-timeout 60 0 length 30 line aux 0 transport
input all line vty 0 4 login local ! end
Now I have tried just about everything on the dynamic list as wee as to
auto command such as:
access-list 106 permit tcp any 172.168.60.0 0.0.0.255 eq telnet
access-list 106 dynamic telnet timeout 5 permit tcp any any access-list
106 permit ip any any
username ccie autocommand access-enable timeout 5
Upon logging in, I see the dynamic list created, but it WILL NOT LET ME
IN:
r6#sh access-list BEFORE TELNETTING (with host on autocommand)
Extended IP access list 106
permit tcp any 172.168.60.0 0.0.0.255 eq telnet (616 matches)
Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
permit ip any any (205 matches)
r6#sh access-list AFTER TELNETTING (with host on autocommand)
Extended IP access list 106
permit tcp any 172.168.60.0 0.0.0.255 eq telnet (662 matches)
Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
permit tcp host 137.50.50.50 172.168.60.0 0.0.0.255 eq telnet log
permit ip any any (205 matches)
r6#sh access-list
Extended IP access list 106 BEFORE TELNETTING
permit tcp any 172.168.60.0 0.0.0.255 eq telnet (672 matches)
Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
permit ip any any (227 matches)
r6#sh access-list
Extended IP access list 106
permit tcp any 172.168.60.0 0.0.0.255 eq telnet (716 matches)
Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
permit ip any any (227 matches)
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:48 GMT-3