RE: Lock and Key - not working

From: Brian Dennis (brian@5g.net)
Date: Mon Apr 07 2003 - 00:01:54 GMT-3

• Next message: Danny Andaluz: "Re: Dialer watch-list not activating"
• Previous message: Jonathan V Hays: "RE: Lock and Key - not working"
• Maybe in reply to: Jason Cash: "Lock and Key - not working"
• Next in thread: Jason Cash: "RE: Lock and Key - not working"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Are you thinking you'll be able to login into the router after the
dynamic access-list is applied? You'll never be able to login to the
router to do anything because every time you login to the router the
autocommand will be executed and then you will be logged off the router.
You should change your access-list to something like this for testing:

access-list 106 permit tcp any 172.168.60.0 0.0.0.255 eq telnet
access-list 106 dynamic ICMP timeout 5 permit icmp any any
access-list 106 deny ip any any

After you login and authenticate the autocommand will activate the
dynamic access-list. Then you should be able to ping.

Lastly your current access-list really isn't doing anything since you
have "permit ip any any" last.

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
Director of CCIE Training and Development - IPexpert, Inc.
Mailto: brian@ipexpert.net
Toll Free: 866.225.8064
Outside U.S. & Canada: 312.321.6924

-----Original Message-----
From: Jason Cash [mailto:cash2001@swbell.net]
Sent: Sunday, April 06, 2003 7:46 PM
To: 'Brian Dennis'
Cc: ccielab@groupstudy.com
Subject: RE: Lock and Key - not working

Hey Brian, I tried clearing the access-template, to no avail:

r3#telnet 172.168.60.1
Trying 172.168.60.1 ... Open

User Access Verification
Username: ccie
Password:
[Connection to 172.168.60.1 closed by foreign host]

r6#sh access-list 106
Extended IP access list 106
    permit tcp any host 172.168.100.6 eq telnet
    Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet
    permit ip any any (1 match)

r3#telnet 172.168.60.1
Trying 172.168.60.1 ... Open

User Access Verification

Username: ccie
Password:
List#106-telnet already contains this IP address pair
[Connection to 172.168.60.1 closed by foreign host]

r6#sh access-list 106
Extended IP access list 106
    permit tcp any host 172.168.100.6 eq telnet
    Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet
      permit tcp any 172.168.60.0 0.0.0.255 eq telnet (4 matches) (time
left 296)
    permit ip any any (37 matches)
r6#clear access-template 106 telnet any 172.168.60.0 0.0.0.255

r3#telnet 172.168.60.1
Trying 172.168.60.1 ... Open

User Access Verification

Username: ccie
Password:
[Connection to 172.168.60.1 closed by foreign host]

Did I do It in the right order?

• Next message: Danny Andaluz: "Re: Dialer watch-list not activating"
• Previous message: Jonathan V Hays: "RE: Lock and Key - not working"
• Maybe in reply to: Jason Cash: "Lock and Key - not working"
• Next in thread: Jason Cash: "RE: Lock and Key - not working"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:48 GMT-3