From: Kimberly Whittaker (kmbrwhit@starband.net)
Date: Thu Jan 08 2004 - 12:30:30 GMT-3
Jonathan,
if you use method 1, how would you change the ACL to allow telnet 10.1.1.1
3001?
when I try telnet 10.1.1.1 3001 it is blocked by the ACL used to set up lock
and key
----- Original Message -----
From: "Jonathan Hays" <nomad@gfoyle.org>
To: <ccielab@groupstudy.com>
Sent: Wednesday, January 07, 2004 5:26 AM
Subject: RE: Lock and Key (Dynamic Access LIsts)
> dt,
>
> Comments inline.
>
> you wrote:
>
> >Hi guys,
> >
> >I'm having problems getting this to work properly and I have 2
> >questions about
> >this.
> >
> >1) When using local authentication, does the name in the username xxxx
> >password yyyy need to match the name in the dynamic access
> >list entry? If it
> >does, doesn't that create problems in that everyone must use
> >the same name
> >password combo? ( I understand that only 1 dynamic entry
> >should be used when
> >creating dynamic access lists.)
>
> = = =
>
> There are two ways (that I know of) to configure the autocommand
> command.
>
> Method 1.
>
> Under "line vty" which means it applies to everyone (as in your config).
>
> To get around this problem, do this:
>
> line vty 0 2
> password cisco
> login local
> autocommand access-enable timeout 3
> line vty 3 4
> login local
> rotary 1
>
> You would also configure a different username and password for the
> admin. The admin would then be able to telnet into the router using port
> 3001 ("telnet 10.1.1.1 3001"), give the admin username and password,
> effectively bypassing the dynamic access list.
>
> Method 2.
>
> Just below the username definition, as in:
>
> username ccie password cisco
> username ccie autocommand access-enable timeout 5
>
> In this case, the autocommand will only be executed for user ccie, not
> everyone.
>
>
> >
> >2) Does the dynamic access list have to explicitly permit
> >icmp in order for
> >ping to work?
> >
> >I have the following config:
> >
> >username test password ccie
> >
> >int s2
> >ip addr x.x.x.x m.m.m.m
> >ip access-group 100 in
> >
> >access-list 100 permit tcp any host 172.16.32.3 eq telnet
> >access-list 100 dynamic test permit ip any 172.16.136.0 0.0.0.255
> >
> >line vty 0 4
> >password cisco
> >login local
> >autocommand access-enable timeout 3
> >
> >What happens is this. when I telnet to the ip addr above, I
> >get challenged to
> >enter a name and password and then I get (as I should) a
> >message like "session
> >closed by foreign host". But, then when I try to ping a host on subnet
> >172.16.136.0, I get U.U.U
> >
> >Shouldn't I be able to ping with the above config?
> >
> >Thanks in advanced, dt
>
>
> Are you absolutely sure you are pinging a host on 172.16.136.0 and not
> the 172.16.136.0 router interface on the same router that dynamic ACLs
> are configured on? Once you have authenticated, access will only given
> to an external device (not the "dynamic ACL" router itself).
>
> HTH,
>
> Jonathan
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:38 GMT-3