Re: Lock-and-Key Confusion

From: Karim (karim_ccie@hotmail.com)
Date: Tue Feb 10 2004 - 10:15:09 GMT-3


Hi Packet Man,
For your first comment, still i didn't get a small point. Why didn't the
access-list included the router interface ip address "172.18.23.9" instead
of "172.18.23.2". And if 172.18.23.2 is right, what would it mean (of course
it can't be an interface on the router because the ethernet as shown in the
config., already took 172.18.23.9/24) ??

Regards,
Karim.

----- Original Message -----
From: "Packet Man" <ccie2b@hotmail.com>
To: <blackyeyes00@hotmail.com>; <ccielab@groupstudy.com>
Sent: Tuesday, February 10, 2004 2:58 PM
Subject: RE: Lock-and-Key Confusion

> Hi Yasser,
>
> See comments in-line.
>
>
> >From: "Yasser Aly" <blackyeyes00@hotmail.com>
> >Reply-To: "Yasser Aly" <blackyeyes00@hotmail.com>
> >To: ccielab@groupstudy.com
> >Subject: Lock-and-Key Confusion
> >Date: Mon, 09 Feb 2004 20:51:10 -0500
> >
> >Hello,
> >
> >I need your help in understanding Lock-and-Key ACL as I am confused in
> >understanding some of its terms.
> >
> >Considering the following example:
> >
> >-----------------
> >username name password password
> >interface ethernet0
> >ip address 172.18.23.9 255.255.255.0
> >ip access-group 101 in
> >access-list 101 permit tcp any host 172.18.23.2 eq telnet
>
> The ip address 172.18.23.2 is the address the user telnets to so user can
be
> authenticated. It should be the ip address of the interface connected to
> the external (untrusted) network. You use "any host" as the source
address
> b/c you might know in advance what (source) ip address the user will use
to
> telnet to your outside interface.
>
>
> >access-list 101 dynamic mytestlist timeout 120 permit ip any any
>
> Once authenticated, the above line allows the user to access any device on
> the inside. You might want to make the above entry more restrictive by
> specifying a single host address or subnet for the destination. The
timeout
> is absolute and 120 = 2 hours.
>
>
> >line vty 0
> >login local
> >autocommand access-enable timeout 5
> >----------------
> >
> >
> >I have the following questions:
> >
> >1- The permitted destination to telnet at is: 172.18.23.2, shouldn't this
> >IP be the IP defined on the
> >ethernet interface ? If not, then kindly explain.
>
> Only if the Ethernet interface is connected to the outside, untrusted
> network and is the ip address external users need to telnet to to be
> authenticated
> >
> >2- If the user will be logged off automatically once logged successfully
to
> >the router and the dynamic ACL entry was created, what does the timeout 5
> >represent in the autocommand ?
>
> It's an idle timeout and should always be smaller than the absolute
timeout
> configured in the dynamic entry.
> >
> >3- What are the units of timeout defined in the autocommand and
access-list
> >commands? Is it seconds or minutes ?
>
> Minutes
> >
> >4- Will the dynamic entry expire after a pre-defined time ( 5 or 120
??? )
> >whether or not the user is doing an activity. Like allowing the user to
> >access the resources for 5 minutes and then remove the ACL entry, or this
> >idletimeout will be counted as a real idle-timeout of non-activity from
the
> >user.
>
> The dynamic entry goes away after 120 miutes no matter what. After 2
hours,
> the user will need to telnet in and re-authenticte. But, if the user
takes
> longer than 5 minutes to get coffee, he will logged out.
> >
> >Thanks for your help.
> >
> >Regards,
> >Yasser
> >
> >_________________________________________________________________
> >The new MSN 8: smart spam protection and 2 months FREE*
> >http://join.msn.com/?page=features/junkmail
>
>http://join.msn.com/?page=dept/bcomm&pgmarket=en-ca&RU=http%3a%2f%2fjoin.ms
n.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
> >
> >_______________________________________________________________________
> >Please help support GroupStudy by purchasing your study materials from:
> >http://shop.groupstudy.com
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
> _________________________________________________________________
> Keep up with high-tech trends here at "Hook'd on Technology."
> http://special.msn.com/msnbc/hookedontech.armx
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html



This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:48 GMT-3