From: Jason Cash (cash2001@swbell.net)
Date: Mon Apr 07 2003 - 00:10:49 GMT-3
Well, I have the permit ip any any at the end, to allow ospf to keep the
adj. up. I guess it is a bit much and I should just permit ospf any any
instead.
The requirement was to allow telnet to hosts on r6's ethernet segment if
someone auth. to r6 via telnet.
I guess that is what's happening...it then creates the access-list to
allow telnet to that segment! I misunderstood then what was being
asked. Theoretically then, after telnetting and authenticating, I
should be able to telnet to hosts on that segment.
Thanks for the clarification...
-----Original Message-----
From: Brian Dennis [mailto:brian@5g.net]
Sent: Sunday, April 06, 2003 10:02 PM
To: 'Jason Cash'
Cc: ccielab@groupstudy.com
Subject: RE: Lock and Key - not working
Are you thinking you'll be able to login into the router after the
dynamic access-list is applied? You'll never be able to login to the
router to do anything because every time you login to the router the
autocommand will be executed and then you will be logged off the router.
You should change your access-list to something like this for testing:
access-list 106 permit tcp any 172.168.60.0 0.0.0.255 eq telnet
access-list 106 dynamic ICMP timeout 5 permit icmp any any access-list
106 deny ip any any
After you login and authenticate the autocommand will activate the
dynamic access-list. Then you should be able to ping.
Lastly your current access-list really isn't doing anything since you
have "permit ip any any" last.
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
Director of CCIE Training and Development - IPexpert, Inc.
Mailto: brian@ipexpert.net
Toll Free: 866.225.8064
Outside U.S. & Canada: 312.321.6924
-----Original Message-----
From: Jason Cash [mailto:cash2001@swbell.net]
Sent: Sunday, April 06, 2003 7:46 PM
To: 'Brian Dennis'
Cc: ccielab@groupstudy.com
Subject: RE: Lock and Key - not working
Hey Brian, I tried clearing the access-template, to no avail:
r3#telnet 172.168.60.1
Trying 172.168.60.1 ... Open
User Access Verification
Username: ccie
Password:
[Connection to 172.168.60.1 closed by foreign host]
r6#sh access-list 106
Extended IP access list 106
permit tcp any host 172.168.100.6 eq telnet
Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet
permit ip any any (1 match)
r3#telnet 172.168.60.1
Trying 172.168.60.1 ... Open
User Access Verification
Username: ccie
Password:
List#106-telnet already contains this IP address pair [Connection to
172.168.60.1 closed by foreign host]
r6#sh access-list 106
Extended IP access list 106
permit tcp any host 172.168.100.6 eq telnet
Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet
permit tcp any 172.168.60.0 0.0.0.255 eq telnet (4 matches) (time
left 296)
permit ip any any (37 matches)
r6#clear access-template 106 telnet any 172.168.60.0 0.0.0.255
r3#telnet 172.168.60.1
Trying 172.168.60.1 ... Open
User Access Verification
Username: ccie
Password:
[Connection to 172.168.60.1 closed by foreign host]
Did I do It in the right order?
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:48 GMT-3