From: Sundar Palaniappan (sundarp@gmail.com)
Date: Fri Feb 25 2005 - 13:33:29 GMT-3
Good catch there!
I was only responding to his precise requirement. Yes, you need to
explictly permit all other
management traffic including routing protocol traffic.
In his case, he would need to the following ACL.
access-list 103 permit ospf any any
access-list 103 permit tcp any any eq bgp
access-list 103 permit tcp any eq bgp any
access-list 103 permit icmp any any
access-list 103 permit tcp any host 130.10.134.3 eq telnet
access-list 103 dynamic labtest timeout 60 permit ip any any
--Sundar Palaniappan
On Fri, 25 Feb 2005 14:04:51 +0100, Ivan OstreE! <ivan.ostres@snt.hr> wrote:
>
> Well,
>
> This would be good, but will kill all underlying stuff (like routing protocol) and will kill ability of the devices behind R3 to be pinged.
>
> Regards,
> Ivan
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf Of Sundar Palaniappan
> > Sent: Monday, February 14, 2005 5:00 PM
> > To: Brian Dennis
> > Cc: anantha S; Cisco certification
> > Subject: Re: Help on Lock and Key configuration.
> >
> > Anantha,
> >
> > The Lock-and-Key configuration you need to use on R3 follows.
> > Substitute VLAN 30 IP address in place of any (destination)
> > in the dynamic ACL.
> >
> >
> > username Ted password 0 cisco
> >
> >
> > access-list 103 permit tcp any host 130.10.134.3 eq telnet
> > access-list 103 dynamic labtest timeout 60 permit ip any any
> >
> >
> > int s0
> > ip access-group 103 in
> >
> >
> > line vty 0 4
> > login local
> > autocommand access-enable timeout 60
> >
> >
> > Cheers,
> > Sundar Palaniappan
> >
> >
> > On Mon, 14 Feb 2005 00:56:55 -0500, Brian Dennis
> > <bdennis@internetworkexpert.com> wrote:
> > > You should first try looking over the documentation for
> > lock and key
> > > security because what you have configured below is not lock and key
> > > security ;-)
> > >
> > > Configuring Lock-and-Key Security (Dynamic Access Lists)
> > >
> > http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgc
> > > r/
> > > fsecur_c/ftrafwl/scflock.htm
> > >
> > > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> > >
> > > bdennis@internetworkexpert.com
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > > Toll Free: 877-224-8987
> > > Direct: 775-745-6404 (Outside the US and Canada)
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> > On Behalf
> > > Of anantha S
> > > Sent: Sunday, February 13, 2005 9:42 PM
> > > To: Cisco certification
> > > Subject: Help on Lock and Key configuration.
> > >
> > > Hi,
> > >
> > > How to solve this below problem, any pointers.
> > >
> > > Question:
> > > --------------
> > > 1. configure R3 such that telnet is the only protocol allowed to
> > > enter R3's frame-relay interface.
> > > 2. Configure lock and Key on R3 such that if a username Ted
> > > authenticates, his IP address (and only his ip address) will be
> > > allowed full access into VLAN 30. Teds password should be cisco.
> > > 3. Configure an idle time of 5 minutes and an absolute
> > time of 1 hour.
> > > 4. Name this dynamic entry LockandKey and add it to access list
> > > present in R3 serial interface.
> > >
> > > Topology:
> > > --------------
> > >
> > > R2-------FR--------R3-----Vlan30---
> > >
> > > solution try:
> > > --------------
> > > I could not find a way to associate to User (Ted) and
> > Access-list 103.
> > >
> > > hostname R3
> > >
> > > username Ted password 0 cisco
> > >
> > > interface Serial1/0
> > > no shutdown
> > > ip address 130.10.134.3 255.255.255.0 ip access-group 103 in
> > > encapsulation frame-relay ip ospf network
> > point-to-multipoint no arp
> > > frame-relay frame-relay map ip 130.10.134.1 100 broadcast no
> > > frame-relay inverse-arp
> > >
> > > router ospf 1
> > > log-adjacency-changes
> > > summary-address 130.10.31.0 255.255.255.0 redistribute connected
> > > subnets route-map filterloop network 130.10.30.0 0.0.0.255 area 3
> > > network 130.10.134.0 0.0.0.255 area 0
> > >
> > > router bgp 100
> > > no synchronization
> > > bgp log-neighbor-changes
> > > network 33.33.33.0 mask 255.255.255.0 neighbor 130.10.134.1
> > > remote-as 100 no auto-summary
> > >
> > > access-list 13 permit 130.10.31.0 0.0.0.255 access-list 103 permit
> > > icmp any any echo access-list 103 permit icmp any any echo-reply
> > > access-list 103 permit ospf any any access-list 103 permit
> > tcp any any
> > > eq bgp access-list 103 permit tcp any eq bgp any access-list 103
> > > permit tcp any any eq telnet
> > > access-list 103 deny ip any any
> > > route-map filterloop permit 10
> > > match ip address 13
> > >
> > > dial-peer cor custom
> > > line con 0
> > > line aux 0
> > >
> > > line vty 0 4
> > > session-timeout 5
> > > access-class 103 in
> > > absolute-timeout 60
> > > login local
> > > logging console 7
> > > end
> > >
> > >
> > ______________________________________________________________________
> > > _ Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > ______________________________________________________________________
> > > _ Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > ______________________________________________________________
> > _________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Mar 03 2005 - 08:51:25 GMT-3