RE: IEWB Vol 2 Lab2.10.1

From: sumit.kumar@comcast.net
Date: Sat Jun 04 2005 - 19:10:56 GMT-3

• Next message: sumit.kumar@comcast.net: "RE: IEWB Vol 2 Lab2.10.1"
• Previous message: ccie: "Brussels 6th June"
• Maybe in reply to: Sean C: "IEWB Vol 2 Lab2.10.1"
• Next in thread: sumit.kumar@comcast.net: "RE: IEWB Vol 2 Lab2.10.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Wang,
your point is correct but I beg not to agree with your config . You have permit ip any any which will permit all the traffic.
 If you want to allow all the traffic add it to dynamic entry.

Sean,
I guess the sequence of ACL do not matter as long as you are not denying telnet packets before permitting.
Make sure you do not permit the dynamic traffic by any other static entry.

5.5 is local router and 8.8 is connected router to which dynamic access is provided. Remote hosts telnets into 5.5 gets authenticated and then can telnet to 8.8 in both scenarios

see the first example permiting telnet to R5 before the dynamic seq

Extended IP access list 121
    1 permit tcp any host 150.1.5.5 eq telnet (306 matches)
    20 Dynamic sumit permit tcp any host 150.1.8.8 eq telnet
       permit tcp any host 150.1.8.8 eq telnet (14 matches)
    30 permit tcp any any eq 639 (4496 matches)
    110 deny ip any any log-input

 and secondly after dynamic sequnce
Extended IP access list 121
    20 Dynamic sumit permit tcp any host 150.1.8.8 eq telnet
       permit tcp any host 150.1.8.8 eq telnet (13 matches)
    21 permit tcp any host 150.1.5.5 eq telnet (159 matches)
    30 permit tcp any any eq 639 (5922 matches)
    110 deny ip any any log-input
-------------- Original message --------------

> Don't have the Vol 2, so I don't know exactly what the question is. Keep in mind
> that you always have to be able to telnet to the authentication router but for
> the access-list you don't have to exclusively have the telnet keyword. You just
> want some kind of traffic passthrough or not. You should permit your conditional
> entry with dynamic, then deny them if the condition does not meet(not authorized
> with lock-key), then permit what else needed. Here is an example, I want R1 to
> pass through tcp packet to subnet 167.1.23.0/24 using lock-key. I don't have to
> explicitlty to specify the telnet session to R1 since it is implicitely allowed.
>
> Rack1R1(config)#do sh access-l 100
> Extended IP access list 100
> 10 Dynamic permit permit tcp any 167.1.23.0 0.0.0.255
> 20 deny tcp any 167.1.23.0 0.0.0.255
> 30 permit ip any any (2 matches)
> Rack1R1(config)#
> Rack1R1(config)#
> Rack1R1(config)#do sh run int s0/1
> Building configuration...
>
> Current configuration : 123 bytes
> !
> interface Serial0/1
> ip address 167.1.13.1 255.255.255.0
> ip access-group 100 in
> ip router isis
> clockrate 128000
> End
>
> =======
> Rack1R3#telnet 167.1.13.1
> Trying 167.1.13.1 ... Open
>
>
> User Access Verification
>
> Password:
> [Connection to 167.1.13.1 closed by foreign host]
>
> =========
> Rack1R1(config)#
> Rack1R1(config)#do sh access-l
> Rack1R1(config)#do sh access-l
> Extended IP access list 100
> 10 Dynamic permit permit tcp any 167.1.23.0 0.0.0.255
> permit tcp any 167.1.23.0 0.0.0.255
> 20 deny tcp any 167.1.23.0 0.0.0.255
> 30 permit ip any any (34 matches)
>
> HTH
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Sean C
> Sent: Saturday, June 04, 2005 2:55 PM
> To: GroupStudy
> Subject: IEWB Vol 2 Lab2.10.1
>
>
> Hello,
>
> Thought I 'had' Lock-n-key down, but now I'm wondering...
>
> On IEWB's Volume 2 Lab 2, task 10.1 - can anyone explain why in this
> lock-and-key scenario the ACL doesn't need telnet allowed to the receiving
> router, first, before the dynamic ACL. I understand the tcp 8080 on the dynamic
> line, but shouldn't the user first need to authenticate to R3?
>
> From the CD, the fourth point:
> Configure Telnet as the protocol so that users must open a Telnet session into
> the router to be authenticated before they can gain access through the router.
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecu
> r_c/ftrafwl/scflock.htm#wp1001063
>
>
> Something like:
> ip access-list extended DYNAMIC
> permit tcp any host eq telnet
> dynamic WEB permit tcp any host 172.1.3.100 eq 8080
> deny ip any host 172.1.3.100
> permit ip any any
>
> As always, thanks,
> Sean
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: sumit.kumar@comcast.net: "RE: IEWB Vol 2 Lab2.10.1"
• Previous message: ccie: "Brussels 6th June"
• Maybe in reply to: Sean C: "IEWB Vol 2 Lab2.10.1"
• Next in thread: sumit.kumar@comcast.net: "RE: IEWB Vol 2 Lab2.10.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:40 GMT-3