RE: IEWB Vol 2 Lab2.10.1

From: Wang Dehong-DWANG1 (Dehong.Wang@motorola.com)
Date: Sat Jun 04 2005 - 17:50:05 GMT-3

• Next message: Scott Morris: "RE: ATM ARP Server"
• Previous message: thomas.rader@freesurf.ch: "ISIS questions"
• Maybe in reply to: Sean C: "IEWB Vol 2 Lab2.10.1"
• Next in thread: sumit.kumar@comcast.net: "RE: IEWB Vol 2 Lab2.10.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Don't have the Vol 2, so I don't know exactly what the question is. Keep in mind that you always have to be able to telnet to the authentication router but for the access-list you don't have to exclusively have the telnet keyword. You just want some kind of traffic passthrough or not. You should permit your conditional entry with dynamic, then deny them if the condition does not meet(not authorized with lock-key), then permit what else needed. Here is an example, I want R1 to pass through tcp packet to subnet 167.1.23.0/24 using lock-key. I don't have to explicitlty to specify the telnet session to R1 since it is implicitely allowed.

Rack1R1(config)#do sh access-l 100
Extended IP access list 100
    10 Dynamic permit permit tcp any 167.1.23.0 0.0.0.255
    20 deny tcp any 167.1.23.0 0.0.0.255
    30 permit ip any any (2 matches)
Rack1R1(config)#
Rack1R1(config)#
Rack1R1(config)#do sh run int s0/1
Building configuration...

Current configuration : 123 bytes
!
interface Serial0/1
 ip address 167.1.13.1 255.255.255.0
 ip access-group 100 in
 ip router isis
 clockrate 128000
End

=======
Rack1R3#telnet 167.1.13.1
Trying 167.1.13.1 ... Open

User Access Verification

Password:
[Connection to 167.1.13.1 closed by foreign host]

=========
Rack1R1(config)#
Rack1R1(config)#do sh access-l
Rack1R1(config)#do sh access-l
Extended IP access list 100
    10 Dynamic permit permit tcp any 167.1.23.0 0.0.0.255
       permit tcp any 167.1.23.0 0.0.0.255
    20 deny tcp any 167.1.23.0 0.0.0.255
    30 permit ip any any (34 matches)

HTH

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Sean C
Sent: Saturday, June 04, 2005 2:55 PM
To: GroupStudy
Subject: IEWB Vol 2 Lab2.10.1

Hello,

Thought I 'had' Lock-n-key down, but now I'm wondering...

On IEWB's Volume 2 Lab 2, task 10.1 - can anyone explain why in this lock-and-key scenario the ACL doesn't need telnet allowed to the receiving router, first, before the dynamic ACL. I understand the tcp 8080 on the dynamic line, but shouldn't the user first need to authenticate to R3?

From the CD, the fourth point:
Configure Telnet as the protocol so that users must open a Telnet session into the router to be authenticated before they can gain access through the router. http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecu
r_c/ftrafwl/scflock.htm#wp1001063

Something like:
ip access-list extended DYNAMIC
 permit tcp any host <R3IP> eq telnet
 dynamic WEB permit tcp any host 172.1.3.100 eq 8080
 deny ip any host 172.1.3.100
 permit ip any any

As always, thanks,
Sean

• Next message: Scott Morris: "RE: ATM ARP Server"
• Previous message: thomas.rader@freesurf.ch: "ISIS questions"
• Maybe in reply to: Sean C: "IEWB Vol 2 Lab2.10.1"
• Next in thread: sumit.kumar@comcast.net: "RE: IEWB Vol 2 Lab2.10.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:40 GMT-3