Re: Help on Lock and Key configuration.

From: Phil (theccie@gmail.com)
Date: Mon Feb 14 2005 - 18:16:11 GMT-3

• Next message: John Aitken: "Re: Remotely Accesing Lab"
• Previous message: Brian Dennis: "RE: Port-Secure"
• Maybe in reply to: anantha S: "Help on Lock and Key configuration."
• Next in thread: Sundar Palaniappan: "Re: Help on Lock and Key configuration."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You actually need the command:

autocommand access-enable host timeout 60

Without the "host" keyword access will be enable for the whole subnet
Ted is coming from.

Phil

On Mon, 14 Feb 2005 10:59:45 -0500, Sundar Palaniappan
<sundarp@gmail.com> wrote:
> Anantha,
>
> The Lock-and-Key configuration you need to use on R3 follows.
> Substitute VLAN 30 IP address in place of any (destination) in the
> dynamic ACL.
>
>
> username Ted password 0 cisco
>
> access-list 103 permit tcp any host 130.10.134.3 eq telnet
> access-list 103 dynamic labtest timeout 60 permit ip any any
>
> int s0
> ip access-group 103 in
>
> line vty 0 4
> login local
> autocommand access-enable timeout 60
>
> Cheers,
> Sundar Palaniappan
>
> On Mon, 14 Feb 2005 00:56:55 -0500, Brian Dennis
> <bdennis@internetworkexpert.com> wrote:
> > You should first try looking over the documentation for lock and key
> > security because what you have configured below is not lock and key
> > security ;-)
> >
> > Configuring Lock-and-Key Security (Dynamic Access Lists)
> > http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
> > fsecur_c/ftrafwl/scflock.htm
> >
> > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> >
> > bdennis@internetworkexpert.com
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 775-745-6404 (Outside the US and Canada)
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > anantha S
> > Sent: Sunday, February 13, 2005 9:42 PM
> > To: Cisco certification
> > Subject: Help on Lock and Key configuration.
> >
> > Hi,
> >
> > How to solve this below problem, any pointers.
> >
> > Question:
> > --------------
> > 1. configure R3 such that telnet is the only protocol allowed to
> > enter R3's frame-relay interface.
> > 2. Configure lock and Key on R3 such that if a username Ted
> > authenticates, his IP address (and only his ip address) will be
> > allowed full access into VLAN 30. Teds password should be cisco.
> > 3. Configure an idle time of 5 minutes and an absolute time of 1 hour.
> > 4. Name this dynamic entry LockandKey and add it to access list
> > present in R3 serial interface.
> >
> > Topology:
> > --------------
> >
> > R2-------FR--------R3-----Vlan30---
> >
> > solution try:
> > --------------
> > I could not find a way to associate to User (Ted) and Access-list 103.
> >
> > hostname R3
> >
> > username Ted password 0 cisco
> >
> > interface Serial1/0
> > no shutdown
> > ip address 130.10.134.3 255.255.255.0
> > ip access-group 103 in
> > encapsulation frame-relay
> > ip ospf network point-to-multipoint
> > no arp frame-relay
> > frame-relay map ip 130.10.134.1 100 broadcast
> > no frame-relay inverse-arp
> >
> > router ospf 1
> > log-adjacency-changes
> > summary-address 130.10.31.0 255.255.255.0
> > redistribute connected subnets route-map filterloop
> > network 130.10.30.0 0.0.0.255 area 3
> > network 130.10.134.0 0.0.0.255 area 0
> >
> > router bgp 100
> > no synchronization
> > bgp log-neighbor-changes
> > network 33.33.33.0 mask 255.255.255.0
> > neighbor 130.10.134.1 remote-as 100
> > no auto-summary
> >
> > access-list 13 permit 130.10.31.0 0.0.0.255
> > access-list 103 permit icmp any any echo
> > access-list 103 permit icmp any any echo-reply
> > access-list 103 permit ospf any any
> > access-list 103 permit tcp any any eq bgp
> > access-list 103 permit tcp any eq bgp any
> > access-list 103 permit tcp any any eq telnet
> > access-list 103 deny ip any any
> > route-map filterloop permit 10
> > match ip address 13
> >
> > dial-peer cor custom
> > line con 0
> > line aux 0
> >
> > line vty 0 4
> > session-timeout 5
> > access-class 103 in
> > absolute-timeout 60
> > login local
> > logging console 7
> > end
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: John Aitken: "Re: Remotely Accesing Lab"
• Previous message: Brian Dennis: "RE: Port-Secure"
• Maybe in reply to: anantha S: "Help on Lock and Key configuration."
• Next in thread: Sundar Palaniappan: "Re: Help on Lock and Key configuration."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Mar 03 2005 - 08:51:20 GMT-3