From: Packet Man (ccie2b@hotmail.com)
Date: Tue Feb 10 2004 - 10:30:39 GMT-3
Thanks for pointing that out. I hadn't noticed before that the 2 ip
addresses used in this example were from the same subnet.
Given those ip addresses, the example isn't a good one since it indicates a
mistake in ip addressing. Here's what you need to understand:
1) The ip address used in the acl list entry that allows inbound telnet is
the ip address that an external user telnets to in order to authenticate. If
that ip addr is correct, then the ethernet addr is wrong or vice versa.
2) The destination ip address or subnet in the dynamic acl entry is where
the user is allowed to go after being authenticated.
>From: "Karim" <karim_ccie@hotmail.com>
>To: "Packet Man"
><ccie2b@hotmail.com>,<blackyeyes00@hotmail.com>,<ccielab@groupstudy.com>
>Subject: Re: Lock-and-Key Confusion
>Date: Tue, 10 Feb 2004 15:15:09 +0200
>
>Hi Packet Man,
>For your first comment, still i didn't get a small point. Why didn't the
>access-list included the router interface ip address "172.18.23.9" instead
>of "172.18.23.2". And if 172.18.23.2 is right, what would it mean (of
>course
>it can't be an interface on the router because the ethernet as shown in the
>config., already took 172.18.23.9/24) ??
>
>Regards,
>Karim.
>
>----- Original Message -----
>From: "Packet Man" <ccie2b@hotmail.com>
>To: <blackyeyes00@hotmail.com>; <ccielab@groupstudy.com>
>Sent: Tuesday, February 10, 2004 2:58 PM
>Subject: RE: Lock-and-Key Confusion
>
>
> > Hi Yasser,
> >
> > See comments in-line.
> >
> >
> > >From: "Yasser Aly" <blackyeyes00@hotmail.com>
> > >Reply-To: "Yasser Aly" <blackyeyes00@hotmail.com>
> > >To: ccielab@groupstudy.com
> > >Subject: Lock-and-Key Confusion
> > >Date: Mon, 09 Feb 2004 20:51:10 -0500
> > >
> > >Hello,
> > >
> > >I need your help in understanding Lock-and-Key ACL as I am confused in
> > >understanding some of its terms.
> > >
> > >Considering the following example:
> > >
> > >-----------------
> > >username name password password
> > >interface ethernet0
> > >ip address 172.18.23.9 255.255.255.0
> > >ip access-group 101 in
> > >access-list 101 permit tcp any host 172.18.23.2 eq telnet
> >
> > The ip address 172.18.23.2 is the address the user telnets to so user
>can
>be
> > authenticated. It should be the ip address of the interface connected
>to
> > the external (untrusted) network. You use "any host" as the source
>address
> > b/c you might know in advance what (source) ip address the user will use
>to
> > telnet to your outside interface.
> >
> >
> > >access-list 101 dynamic mytestlist timeout 120 permit ip any any
> >
> > Once authenticated, the above line allows the user to access any device
>on
> > the inside. You might want to make the above entry more restrictive by
> > specifying a single host address or subnet for the destination. The
>timeout
> > is absolute and 120 = 2 hours.
> >
> >
> > >line vty 0
> > >login local
> > >autocommand access-enable timeout 5
> > >----------------
> > >
> > >
> > >I have the following questions:
> > >
> > >1- The permitted destination to telnet at is: 172.18.23.2, shouldn't
>this
> > >IP be the IP defined on the
> > >ethernet interface ? If not, then kindly explain.
> >
> > Only if the Ethernet interface is connected to the outside, untrusted
> > network and is the ip address external users need to telnet to to be
> > authenticated
> > >
> > >2- If the user will be logged off automatically once logged
>successfully
>to
> > >the router and the dynamic ACL entry was created, what does the timeout
>5
> > >represent in the autocommand ?
> >
> > It's an idle timeout and should always be smaller than the absolute
>timeout
> > configured in the dynamic entry.
> > >
> > >3- What are the units of timeout defined in the autocommand and
>access-list
> > >commands? Is it seconds or minutes ?
> >
> > Minutes
> > >
> > >4- Will the dynamic entry expire after a pre-defined time ( 5 or 120
>??? )
> > >whether or not the user is doing an activity. Like allowing the user to
> > >access the resources for 5 minutes and then remove the ACL entry, or
>this
> > >idletimeout will be counted as a real idle-timeout of non-activity from
>the
> > >user.
> >
> > The dynamic entry goes away after 120 miutes no matter what. After 2
>hours,
> > the user will need to telnet in and re-authenticte. But, if the user
>takes
> > longer than 5 minutes to get coffee, he will logged out.
> > >
> > >Thanks for your help.
> > >
> > >Regards,
> > >Yasser
> > >
> > >_________________________________________________________________
> > >The new MSN 8: smart spam protection and 2 months FREE*
> > >http://join.msn.com/?page=features/junkmail
> >
> >http://join.msn.com/?page=dept/bcomm&pgmarket=en-ca&RU=http%3a%2f%2fjoin.ms
>n.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
> > >
> > >_______________________________________________________________________
> > >Please help support GroupStudy by purchasing your study materials from:
> > >http://shop.groupstudy.com
> > >
> > >Subscription information may be found at:
> > >http://www.groupstudy.com/list/CCIELab.html
> >
> > _________________________________________________________________
> > Keep up with high-tech trends here at "Hook'd on Technology."
> > http://special.msn.com/msnbc/hookedontech.armx
> >
> > _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:48 GMT-3