RE: Lock-and-Key Confusion

From: Packet Man (ccie2b@hotmail.com)
Date: Tue Feb 10 2004 - 14:44:07 GMT-3

• Next message: Airalgerie123@aol.com: "SNMP trap-source"
• Previous message: alsontra@hotmail.com: "BGP Recursive-lookup"
• Maybe in reply to: Yasser Aly: "Lock-and-Key Confusion"
• Next in thread: Rik Guyler: "RE: Lock-and-Key Confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sorry, you've now exceeded the extent of my knowledge, but, you may want to
read the book, IOS Access Lists, published by Mcgraw Hill and written by Gil
Hunt; ISBN 0-07-212335

That's where I got the info I gave you.

HTH

>From: "Yasser Aly" <blackyeyes00@hotmail.com>
>Reply-To: "Yasser Aly" <blackyeyes00@hotmail.com>
>To: ccielab@groupstudy.com
>Subject: RE: Lock-and-Key Confusion
>Date: Tue, 10 Feb 2004 12:36:25 -0500
>
>Hi Packet Man,
>
> Thanks for your explanation it made things much clearer.
>
>Another question about the autocommand command. When this command is used
>with the lock-and-key ACL, is it normally used in this syntax "autocommand
>access-enable timeout 5" or there are cases where other exec commands are
>configured after the autocommand.
>
>Regards,
>Yasser
>
>>From: "Packet Man" <ccie2b@hotmail.com>
>>To: blackyeyes00@hotmail.com, ccielab@groupstudy.com
>>Subject: RE: Lock-and-Key Confusion
>>Date: Tue, 10 Feb 2004 07:58:27 -0500
>>
>>Hi Yasser,
>>
>>See comments in-line.
>>
>>
>>>From: "Yasser Aly" <blackyeyes00@hotmail.com>
>>>Reply-To: "Yasser Aly" <blackyeyes00@hotmail.com>
>>>To: ccielab@groupstudy.com
>>>Subject: Lock-and-Key Confusion
>>>Date: Mon, 09 Feb 2004 20:51:10 -0500
>>>
>>>Hello,
>>>
>>>I need your help in understanding Lock-and-Key ACL as I am confused in
>>>understanding some of its terms.
>>>
>>>Considering the following example:
>>>
>>>-----------------
>>>username name password password
>>>interface ethernet0
>>>ip address 172.18.23.9 255.255.255.0
>>>ip access-group 101 in
>>>access-list 101 permit tcp any host 172.18.23.2 eq telnet
>>
>>The ip address 172.18.23.2 is the address the user telnets to so user can
>>be authenticated. It should be the ip address of the interface connected
>>to the external (untrusted) network. You use "any host" as the source
>>address b/c you might know in advance what (source) ip address the user
>>will use to telnet to your outside interface.
>>
>>
>>>access-list 101 dynamic mytestlist timeout 120 permit ip any any
>>
>>Once authenticated, the above line allows the user to access any device on
>>the inside. You might want to make the above entry more restrictive by
>>specifying a single host address or subnet for the destination. The
>>timeout is absolute and 120 = 2 hours.
>>
>>
>>>line vty 0
>>>login local
>>>autocommand access-enable timeout 5
>>>----------------
>>>
>>>
>>>I have the following questions:
>>>
>>>1- The permitted destination to telnet at is: 172.18.23.2, shouldn't this
>>>IP be the IP defined on the
>>>ethernet interface ? If not, then kindly explain.
>>
>>Only if the Ethernet interface is connected to the outside, untrusted
>>network and is the ip address external users need to telnet to to be
>>authenticated
>>>
>>>2- If the user will be logged off automatically once logged successfully
>>>to the router and the dynamic ACL entry was created, what does the
>>>timeout 5 represent in the autocommand ?
>>
>>It's an idle timeout and should always be smaller than the absolute
>>timeout configured in the dynamic entry.
>>>
>>>3- What are the units of timeout defined in the autocommand and
>>>access-list commands? Is it seconds or minutes ?
>>
>>Minutes
>>>
>>>4- Will the dynamic entry expire after a pre-defined time ( 5 or 120 ???
>>>) whether or not the user is doing an activity. Like allowing the user to
>>>access the resources for 5 minutes and then remove the ACL entry, or this
>>>idletimeout will be counted as a real idle-timeout of non-activity from
>>>the user.
>>
>>The dynamic entry goes away after 120 miutes no matter what. After 2
>>hours, the user will need to telnet in and re-authenticte. But, if the
>>user takes longer than 5 minutes to get coffee, he will logged out.
>>>
>>>Thanks for your help.
>>>
>>>Regards,
>>>Yasser
>>>
>>>_________________________________________________________________
>>>The new MSN 8: smart spam protection and 2 months FREE*
>>>http://join.msn.com/?page=features/junkmail
>>>http://join.msn.com/?page=dept/bcomm&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
>>>
>>>_______________________________________________________________________
>>>Please help support GroupStudy by purchasing your study materials from:
>>>http://shop.groupstudy.com
>>>
>>>Subscription information may be found at:
>>>http://www.groupstudy.com/list/CCIELab.html
>>
>
>_________________________________________________________________
>Tired of spam? Get advanced junk mail protection with MSN 8.
>http://join.msn.com/?page=dept/bcomm&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Airalgerie123@aol.com: "SNMP trap-source"
• Previous message: alsontra@hotmail.com: "BGP Recursive-lookup"
• Maybe in reply to: Yasser Aly: "Lock-and-Key Confusion"
• Next in thread: Rik Guyler: "RE: Lock-and-Key Confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:48 GMT-3