RE: Lock and Key (Dynamic Access LIsts)

From: Jonathan Hays (nomad@gfoyle.org)
Date: Wed Jan 07 2004 - 08:26:42 GMT-3

• Next message: christopher snow: "Re: Sitting on the Fence - 3550 or 2950-T Switch for Home Lab"
• Previous message: William Chen: "Directed Broadcast Forwarding"
• Maybe in reply to: ccie2be: "Lock and Key (Dynamic Access LIsts)"
• Next in thread: ccie2be: "Re: Lock and Key (Dynamic Access LIsts)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

dt,

Comments inline.

you wrote:

>Hi guys,
>
>I'm having problems getting this to work properly and I have 2
>questions about
>this.
>
>1) When using local authentication, does the name in the username xxxx
>password yyyy need to match the name in the dynamic access
>list entry? If it
>does, doesn't that create problems in that everyone must use
>the same name
>password combo? ( I understand that only 1 dynamic entry
>should be used when
>creating dynamic access lists.)

= = =

There are two ways (that I know of) to configure the autocommand
command.

Method 1.

Under "line vty" which means it applies to everyone (as in your config).

To get around this problem, do this:

line vty 0 2
 password cisco
 login local
 autocommand access-enable timeout 3
line vty 3 4
 login local
 rotary 1

You would also configure a different username and password for the
admin. The admin would then be able to telnet into the router using port
3001 ("telnet 10.1.1.1 3001"), give the admin username and password,
effectively bypassing the dynamic access list.

Method 2.

Just below the username definition, as in:

username ccie password cisco
username ccie autocommand access-enable timeout 5

In this case, the autocommand will only be executed for user ccie, not
everyone.

>
>2) Does the dynamic access list have to explicitly permit
>icmp in order for
>ping to work?
>
>I have the following config:
>
>username test password ccie
>
>int s2
>ip addr x.x.x.x m.m.m.m
>ip access-group 100 in
>
>access-list 100 permit tcp any host 172.16.32.3 eq telnet
>access-list 100 dynamic test permit ip any 172.16.136.0 0.0.0.255
>
>line vty 0 4
>password cisco
>login local
>autocommand access-enable timeout 3
>
>What happens is this. when I telnet to the ip addr above, I
>get challenged to
>enter a name and password and then I get (as I should) a
>message like "session
>closed by foreign host". But, then when I try to ping a host on subnet
>172.16.136.0, I get U.U.U
>
>Shouldn't I be able to ping with the above config?
>
>Thanks in advanced, dt

Are you absolutely sure you are pinging a host on 172.16.136.0 and not
the 172.16.136.0 router interface on the same router that dynamic ACLs
are configured on? Once you have authenticated, access will only given
to an external device (not the "dynamic ACL" router itself).

HTH,

Jonathan

• Next message: christopher snow: "Re: Sitting on the Fence - 3550 or 2950-T Switch for Home Lab"
• Previous message: William Chen: "Directed Broadcast Forwarding"
• Maybe in reply to: ccie2be: "Lock and Key (Dynamic Access LIsts)"
• Next in thread: ccie2be: "Re: Lock and Key (Dynamic Access LIsts)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:37 GMT-3