From: sumit.kumar@comcast.net
Date: Sat Jun 04 2005 - 19:16:44 GMT-3
Wang,
I take my comments back just noticed you have denied the dynamic traffic before permit ip any any which is correct.
Sumit
-------------- Original message --------------
> Don't have the Vol 2, so I don't know exactly what the question is. Keep in mind
> that you always have to be able to telnet to the authentication router but for
> the access-list you don't have to exclusively have the telnet keyword. You just
> want some kind of traffic passthrough or not. You should permit your conditional
> entry with dynamic, then deny them if the condition does not meet(not authorized
> with lock-key), then permit what else needed. Here is an example, I want R1 to
> pass through tcp packet to subnet 167.1.23.0/24 using lock-key. I don't have to
> explicitlty to specify the telnet session to R1 since it is implicitely allowed.
>
> Rack1R1(config)#do sh access-l 100
> Extended IP access list 100
> 10 Dynamic permit permit tcp any 167.1.23.0 0.0.0.255
> 20 deny tcp any 167.1.23.0 0.0.0.255
> 30 permit ip any any (2 matches)
> Rack1R1(config)#
> Rack1R1(config)#
> Rack1R1(config)#do sh run int s0/1
> Building configuration...
>
> Current configuration : 123 bytes
> !
> interface Serial0/1
> ip address 167.1.13.1 255.255.255.0
> ip access-group 100 in
> ip router isis
> clockrate 128000
> End
>
> =======
> Rack1R3#telnet 167.1.13.1
> Trying 167.1.13.1 ... Open
>
>
> User Access Verification
>
> Password:
> [Connection to 167.1.13.1 closed by foreign host]
>
> =========
> Rack1R1(config)#
> Rack1R1(config)#do sh access-l
> Rack1R1(config)#do sh access-l
> Extended IP access list 100
> 10 Dynamic permit permit tcp any 167.1.23.0 0.0.0.255
> permit tcp any 167.1.23.0 0.0.0.255
> 20 deny tcp any 167.1.23.0 0.0.0.255
> 30 permit ip any any (34 matches)
>
> HTH
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Sean C
> Sent: Saturday, June 04, 2005 2:55 PM
> To: GroupStudy
> Subject: IEWB Vol 2 Lab2.10.1
>
>
> Hello,
>
> Thought I 'had' Lock-n-key down, but now I'm wondering...
>
> On IEWB's Volume 2 Lab 2, task 10.1 - can anyone explain why in this
> lock-and-key scenario the ACL doesn't need telnet allowed to the receiving
> router, first, before the dynamic ACL. I understand the tcp 8080 on the dynamic
> line, but shouldn't the user first need to authenticate to R3?
>
> From the CD, the fourth point:
> Configure Telnet as the protocol so that users must open a Telnet session into
> the router to be authenticated before they can gain access through the router.
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecu
> r_c/ftrafwl/scflock.htm#wp1001063
>
>
> Something like:
> ip access-list extended DYNAMIC
> permit tcp any host eq telnet
> dynamic WEB permit tcp any host 172.1.3.100 eq 8080
> deny ip any host 172.1.3.100
> permit ip any any
>
> As always, thanks,
> Sean
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:40 GMT-3