From: Kimberly Whittaker (kmbrwhit@starband.net)
Date: Thu Jan 08 2004 - 12:48:51 GMT-3
access-list 100 permit tcp any any eq 3001
----- Original Message -----
From: "Kimberly Whittaker" <kmbrwhit@starband.net>
To: "Jonathan Hays" <nomad@gfoyle.org>; <ccielab@groupstudy.com>
Sent: Thursday, January 08, 2004 9:30 AM
Subject: Re: Lock and Key (Dynamic Access LIsts)
> Jonathan,
>
> if you use method 1, how would you change the ACL to allow telnet 10.1.1.1
> 3001?
>
> when I try telnet 10.1.1.1 3001 it is blocked by the ACL used to set up
lock
> and key
>
>
> ----- Original Message -----
> From: "Jonathan Hays" <nomad@gfoyle.org>
> To: <ccielab@groupstudy.com>
> Sent: Wednesday, January 07, 2004 5:26 AM
> Subject: RE: Lock and Key (Dynamic Access LIsts)
>
>
> > dt,
> >
> > Comments inline.
> >
> > you wrote:
> >
> > >Hi guys,
> > >
> > >I'm having problems getting this to work properly and I have 2
> > >questions about
> > >this.
> > >
> > >1) When using local authentication, does the name in the username xxxx
> > >password yyyy need to match the name in the dynamic access
> > >list entry? If it
> > >does, doesn't that create problems in that everyone must use
> > >the same name
> > >password combo? ( I understand that only 1 dynamic entry
> > >should be used when
> > >creating dynamic access lists.)
> >
> > = = =
> >
> > There are two ways (that I know of) to configure the autocommand
> > command.
> >
> > Method 1.
> >
> > Under "line vty" which means it applies to everyone (as in your config).
> >
> > To get around this problem, do this:
> >
> > line vty 0 2
> > password cisco
> > login local
> > autocommand access-enable timeout 3
> > line vty 3 4
> > login local
> > rotary 1
> >
> > You would also configure a different username and password for the
> > admin. The admin would then be able to telnet into the router using port
> > 3001 ("telnet 10.1.1.1 3001"), give the admin username and password,
> > effectively bypassing the dynamic access list.
> >
> > Method 2.
> >
> > Just below the username definition, as in:
> >
> > username ccie password cisco
> > username ccie autocommand access-enable timeout 5
> >
> > In this case, the autocommand will only be executed for user ccie, not
> > everyone.
> >
> >
> > >
> > >2) Does the dynamic access list have to explicitly permit
> > >icmp in order for
> > >ping to work?
> > >
> > >I have the following config:
> > >
> > >username test password ccie
> > >
> > >int s2
> > >ip addr x.x.x.x m.m.m.m
> > >ip access-group 100 in
> > >
> > >access-list 100 permit tcp any host 172.16.32.3 eq telnet
> > >access-list 100 dynamic test permit ip any 172.16.136.0 0.0.0.255
> > >
> > >line vty 0 4
> > >password cisco
> > >login local
> > >autocommand access-enable timeout 3
> > >
> > >What happens is this. when I telnet to the ip addr above, I
> > >get challenged to
> > >enter a name and password and then I get (as I should) a
> > >message like "session
> > >closed by foreign host". But, then when I try to ping a host on subnet
> > >172.16.136.0, I get U.U.U
> > >
> > >Shouldn't I be able to ping with the above config?
> > >
> > >Thanks in advanced, dt
> >
> >
> > Are you absolutely sure you are pinging a host on 172.16.136.0 and not
> > the 172.16.136.0 router interface on the same router that dynamic ACLs
> > are configured on? Once you have authenticated, access will only given
> > to an external device (not the "dynamic ACL" router itself).
> >
> > HTH,
> >
> > Jonathan
> >
> > _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:38 GMT-3