From: Yasser Aly (blackyeyes00@hotmail.com)
Date: Tue Feb 10 2004 - 14:36:25 GMT-3
Hi Packet Man,
Thanks for your explanation it made things much clearer.
Another question about the autocommand command. When this command is used
with the lock-and-key ACL, is it normally used in this syntax "autocommand
access-enable timeout 5" or there are cases where other exec commands are
configured after the autocommand.
Regards,
Yasser
>From: "Packet Man" <ccie2b@hotmail.com>
>To: blackyeyes00@hotmail.com, ccielab@groupstudy.com
>Subject: RE: Lock-and-Key Confusion
>Date: Tue, 10 Feb 2004 07:58:27 -0500
>
>Hi Yasser,
>
>See comments in-line.
>
>
>>From: "Yasser Aly" <blackyeyes00@hotmail.com>
>>Reply-To: "Yasser Aly" <blackyeyes00@hotmail.com>
>>To: ccielab@groupstudy.com
>>Subject: Lock-and-Key Confusion
>>Date: Mon, 09 Feb 2004 20:51:10 -0500
>>
>>Hello,
>>
>>I need your help in understanding Lock-and-Key ACL as I am confused in
>>understanding some of its terms.
>>
>>Considering the following example:
>>
>>-----------------
>>username name password password
>>interface ethernet0
>>ip address 172.18.23.9 255.255.255.0
>>ip access-group 101 in
>>access-list 101 permit tcp any host 172.18.23.2 eq telnet
>
>The ip address 172.18.23.2 is the address the user telnets to so user can
>be authenticated. It should be the ip address of the interface connected
>to the external (untrusted) network. You use "any host" as the source
>address b/c you might know in advance what (source) ip address the user
>will use to telnet to your outside interface.
>
>
>>access-list 101 dynamic mytestlist timeout 120 permit ip any any
>
>Once authenticated, the above line allows the user to access any device on
>the inside. You might want to make the above entry more restrictive by
>specifying a single host address or subnet for the destination. The timeout
>is absolute and 120 = 2 hours.
>
>
>>line vty 0
>>login local
>>autocommand access-enable timeout 5
>>----------------
>>
>>
>>I have the following questions:
>>
>>1- The permitted destination to telnet at is: 172.18.23.2, shouldn't this
>>IP be the IP defined on the
>>ethernet interface ? If not, then kindly explain.
>
>Only if the Ethernet interface is connected to the outside, untrusted
>network and is the ip address external users need to telnet to to be
>authenticated
>>
>>2- If the user will be logged off automatically once logged successfully
>>to the router and the dynamic ACL entry was created, what does the timeout
>>5 represent in the autocommand ?
>
>It's an idle timeout and should always be smaller than the absolute timeout
>configured in the dynamic entry.
>>
>>3- What are the units of timeout defined in the autocommand and
>>access-list commands? Is it seconds or minutes ?
>
>Minutes
>>
>>4- Will the dynamic entry expire after a pre-defined time ( 5 or 120 ??? )
>>whether or not the user is doing an activity. Like allowing the user to
>>access the resources for 5 minutes and then remove the ACL entry, or this
>>idletimeout will be counted as a real idle-timeout of non-activity from
>>the user.
>
>The dynamic entry goes away after 120 miutes no matter what. After 2
>hours, the user will need to telnet in and re-authenticte. But, if the
>user takes longer than 5 minutes to get coffee, he will logged out.
>>
>>Thanks for your help.
>>
>>Regards,
>>Yasser
>>
>>_________________________________________________________________
>>The new MSN 8: smart spam protection and 2 months FREE*
>>http://join.msn.com/?page=features/junkmail
>>http://join.msn.com/?page=dept/bcomm&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
>>
>>_______________________________________________________________________
>>Please help support GroupStudy by purchasing your study materials from:
>>http://shop.groupstudy.com
>>
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>
This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:48 GMT-3