RE: Host keyword on Lock and Key

From: Larry (groupstudy@american-hero.com)
Date: Fri Jul 23 2004 - 15:38:05 GMT-3

• Next message: Sergio Jimenez Arguedas: "AS-PATH REGEXP QUESTION!!!"
• Previous message: Brian McGahan: "RE: Administrativly scooped address"
• Maybe in reply to: gladston@br.ibm.com: "Host keyword on Lock and Key"
• Next in thread: Brian Dennis: "RE: Host keyword on Lock and Key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

 that would make the source be replaced with the IP of the "host" that
telneted to the router and authenticated.

( assume the PC doing the authentication is 10.10.10.1 )

Your "permit ip any any"
would become
"permit ip host 10.10.10.1 any"

It replaces the "any" for source with the IP address of the host doing the
authentication.

Scenario:

access-list 101 dynamic DYNOLIST timeout 120 permit tcp any any eq telnet

Lets say you have several people you want to be able to telnet across your
network, but restrict anyone else from doing it.
Lets also say that you run DHCP, so the source IP will not be known.

WITHOUT use of the "host" keyword...

If you do "permit tcp any any eq telnet" , then as soon as the first person
authenticates then an ACL entry permitting everyone to telnet is now in
place, at least until the timeout expires.

Permit ip any any telnet

WITH the use of "host" keyword.

Now, even though you have "permit tcp any any eq telnet", the first person
that authenticates, lets say from ip 10.10.10.1, gets this entry added to
the ACL

Permit ip host 10.10.10.1 any eq telnet

A second user now telnets to the router and authenticates, this time from
10.10.10.24. Then this line gets ADDED to the existing acl

Permit ip host 10.10.10.24 any eq telnet.

Only those 2 users who authenticated can telnet through the firewall, while
everyone else is still denied.

I hope I'm making sense. I don't have a router in front of me or I would
post actual output

Larry

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
gladston@br.ibm.com
Sent: Friday, July 23, 2004 12:50 PM
To: ccielab@groupstudy.com
Subject: Host keyword on Lock and Key

What would be the behavior if configuring the keyword 'host' on "autocommand
access-enable" in this example?

interface ethernet0
 ip address 172.18.23.9 255.255.255.0
 ip access-group 101 in
access-list 101 permit tcp 168.192.1.0 255.255.255.0 host 172.18.21.2 eq
telnet
access-list 101 dynamic mytestlist timeout 120 permit ip any any line
vty 0
login local
autocommand access-enable timeout 5

• Next message: Sergio Jimenez Arguedas: "AS-PATH REGEXP QUESTION!!!"
• Previous message: Brian McGahan: "RE: Administrativly scooped address"
• Maybe in reply to: gladston@br.ibm.com: "Host keyword on Lock and Key"
• Next in thread: Brian Dennis: "RE: Host keyword on Lock and Key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:12:01 GMT-3