Re: NMC Scenario #3 (Security Section)

From: Sean C (Upp_and_Upp@hotmail.com)
Date: Tue May 10 2005 - 20:42:11 GMT-3

• Next message: Richard Gallagher: "Re: Cisco IOS XR"
• Previous message: Dennis J. Hartmann: "NMC Scenario #3 (Security Section)"
• Maybe in reply to: Dennis J. Hartmann: "NMC Scenario #3 (Security Section)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dennis,

What exactly are you referring to when you mention 'NMC Scenario #3'? Do
you mean something from either NMC's DoIT labs, CheckIT labs, DrillIt labs,
or perhaps their NMC2 class Day 3 labs?

Have you posted your question to NMC's forum? They have a very active forum
with techs dedicated to answering their questions (wait till you get Alexei
going).

While I won't comment on the majority of your question, the last part, about
username SALLY autocommand access-enable, it's a secret command. It's not
documented very well but it does exist. The best place I can recommend to
learn about it is CCIE Practical Studies Volume 1 pg 1005-1009. I usually
don't recommend Volume 1, but in this case, it'll at least lean you in the
right direction. Per the book pg1007 "... a special autocommand will be run
when user XXX logs in. Access-enable is a special command that will not be
displayed by the question mark (context-sensitive help)--yes, you will have
to remember this one!'.

HTH,
Sean
----- Original Message -----
From: "Dennis J. Hartmann" <dennisjhartmann@hotmail.com>
To: "'Bob Sinclair'" <bsin@cox.net>; "'Andrew B. Caslow'"
<abcaslow@netmasterclass.net>; <ccielab@groupstudy.com>
Sent: Tuesday, May 10, 2005 7:08 PM
Subject: NMC Scenario #3 (Security Section)

> Am I missing something here??? Comments are welcome.
>
> The NMC scenario #3 calls for a Lock-And-Key dynamic ACL to get from
> one
> VLAN (30) to R5.
>
> What I don't understand about the solution is the ACL that was
> configured. The only IP Address that was denied was the 172.16.25.5/27
> address, but we are not using the dynamic ACL for the 172.16.105.1/27
> loopback interface. This is probably OK because the ACL of 120 that's
> applied to the incoming Frame interfaces, does not explicitly allow the
> traffic and the the last line of the ACL is a deny ip any any.
>
> The question does not call for any other traffic to create the dynamic
> ACL except for the traffic from VLAN 30 to R5. I would think that the ACL
> should be configured with a permit ip any any at the bottom based on the
> question. The explanation also states "The final line 17 is there to help
> us determine if we forgot to permit any required traffic.". I'm confused.
>
> The NMC configuration answer is as follows and I have some questions
> (check the ! comment lines):
>
> access-list 120 remark ------------- Router Security ------------------
> access-list 120 dynamic VLAN30 timeout 10 permit tcp any host 172.16.25.5
> eq
> telnet
> ! If the dynamic VLAN is ONLY supposed to be created from VLAN30 to R5, I
> would change the
> ! source address for "any" to the VLAN30 subnet. We are also missing a
> line in the access-list
> ! where we permit VLAN30 to be able to telnet to R1. Would this work
> because their last line
> is a permit ip any any? It "appears" that this permit should be before
> the
> dynamic ACL
> access-list 120 deny tcp 172.16.32.0 0.0.3.255 host 172.16.25.5 eq
> telnet
> ! If we were going to build this for the destination loopback of R5 as
> well
> the following has to be added....
> ! access-list 120 deny tcp 172.16.32.0 0.0.0.255 host 172.16.105.1
> ! The next line would be: access-list 120 permit ip any any. The
> question
> does not call for dropping any other traffic.
> access-list 120 permit ospf any any
> access-list 120 permit eigrp any any
> access-list 120 permit pim any any
> access-list 120 permit icmp any any
> access-list 120 permit igmp any any
> access-list 120 permit tcp any any eq 1720
> access-list 120 permit tcp any eq 1720 any
> access-list 120 permit tcp any host 172.16.124.1 eq telnet
> access-list 120 permit tcp any host 172.16.13.1 eq telnet
> access-list 120 permit tcp 172.16.32.0 0.0.3.255 host 172.16.124.1 eq 8080
> access-list 120 permit udp any any range 16384 32767
> access-list 120 permit tcp any any eq bgp
> access-list 120 permit tcp any eq bgp any
> access-list 120 deny ip any any log
>
> I also don't understand the use of the following command:
> username SALLY autocommand access-enable
> The configuration guide for Lock-and-key uses this command:
>
> autocommand access-enable host
>
> The 12.3 documentation (what I'm working off of) doesn't mention the
> username X autocommand access-enable option. Please advise.
>
>
> Sincerely,
>
> Dennis J. Hartmann
>
> White Pine Communications
>
> dh8@pobox.com
>
> CCSI#23402/CCIP/CCNP/CCDP/CCNA/CCDA
>
> Cisco IP Voice Support & Design Specialist
>
> Cisco Optical, VPN & IDS Specialist
>
> MCSE
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Richard Gallagher: "Re: Cisco IOS XR"
• Previous message: Dennis J. Hartmann: "NMC Scenario #3 (Security Section)"
• Maybe in reply to: Dennis J. Hartmann: "NMC Scenario #3 (Security Section)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:57 GMT-3