From: Sean C (Upp_and_Upp@hotmail.com)
Date: Sat Jun 04 2005 - 19:38:24 GMT-3
Hmmm, ok. Thanks for the answers (and I hate long emails) but now I'm really
scratching my head...
Sumit - from your comment to Wang:
>You have permit ip any any which will permit all the traffic. If you want to
allow all the traffic add it to dynamic entry
If everything is allowed before anything is denied, then the deny acl below
the dynamic is never used since all traffic is allowed. I must be
misunderstanding what you mean.
Wang & Sumit:
1-so telnet traffic is not a 'must' in an static ACL before the dynamic ACL in
order for lock-n-key to work?
2-If true, does telnet traffic need to be at least allowed in the dynamic ACL
for lock-n-key?
After some further research, I found a DoIT (Lab 3) that also does not have a
static telnet before the dynamic. But, in that DoIT lab, telnet traffic is at
least referenced in the dynamic ACL. My point of confusion is that on the
IEWB Vol 2 Lab 2 task, telnet is not used at all in the ACL - before the
dynamic ACL, in the dynamic ACL or after the dynamic ACL. One of the IEWB
tasks' states: "Authenticated hosts should be able to access the server using
only TCP port 8080". The server is at IP 172.1.3.100. I would not know if
the TCP port 8080 is needed to access the router, or the server. From the
wording, I would assume port 8080 is needed to access the server, not the
router.
The posted solution is:
ip access-list extended DYNAMIC
dynamic WEB permit tcp any host 172.1.3.100 eq 8080
deny ip any host 172.1.3.100
permit ip any any
As you can see, there is no telnet in this lock-n-key. But port 8080 maybe
enough if I'm understanding you 2 correctly. Appreciate any words of wisdom,
Sean
----- Original Message -----
From: sumit.kumar@comcast.net
To: Wang Dehong-DWANG1 ; 'Sean C'
Cc: GroupStudy
Sent: Saturday, June 04, 2005 6:10 PM
Subject: RE: IEWB Vol 2 Lab2.10.1
Wang,
your point is correct but I beg not to agree with your config . You have
permit ip any any which will permit all the traffic.
If you want to allow all the traffic add it to dynamic entry.
Sean,
I guess the sequence of ACL do not matter as long as you are not denying
telnet packets before permitting.
Make sure you do not permit the dynamic traffic by any other static entry.
5.5 is local router and 8.8 is connected router to which dynamic access is
provided. Remote hosts telnets into 5.5 gets authenticated and then can
telnet to 8.8 in both scenarios
see the first example permiting telnet to R5 before the dynamic seq
Extended IP access list 121
1 permit tcp any host 150.1.5.5 eq telnet (306 matches)
20 Dynamic sumit permit tcp any host 150.1.8.8 eq telnet permit tcp any
host 150.1.8.8 eq telnet (14 matches)
30 permit tcp any any eq 639 (4496 matches)
110 deny ip any any log-input
and secondly after dynamic sequnce
Extended IP access list 121
20 Dynamic sumit permit tcp any host 150.1.8.8 eq telnet permit tcp any
host 150.1.8.8 eq telnet (13 matches)
21 permit tcp any host 150.1.5.5 eq telnet (159 matches)
30 permit tcp any any eq 639 (5922 matches)
110 deny ip any any log-input
-------------- Original message --------------
> Don't have the Vol 2, so I don't know exactly what the question is. Keep
in mind
> that you always have to be able to telnet to the authentication router
but for
> the access-list you don't have to exclusively have the telnet keyword.
You just
> want some kind of traffic passthrough or not. You should permit your
conditional
> entry with dynamic, then deny them if the condition does not meet(not
authorized
> with lock-key), then permit what else needed. Here is an example, I want
R1 to
> pass through tcp packet to subnet 167.1.23.0/24 using lock-key. I don't
have to
> explicitlty to specify the telnet session to R1 since it is implicitely
allowed.
>
> Rack1R1(config)#do sh access-l 100
> Extended IP access list 100
> 10 Dynamic permit permit tcp any 167.1.23.0 0.0.0.255
> 20 deny tcp any 167.1.23.0 0.0.0.255
> 30 permit ip any any (2 matches)
> Rack1R1(config)#
> Rack1R1(config)#
> Rack1R1(config)#do sh run int s0/1
> Building configuration...
>
> Current configuration : 123 bytes
> !
> interface Serial0/1
> ip address 167.1.13.1 255.255.255.0
> ip access-group 100 in
> ip router isis
> clockrate 128000
> End
>
> =======
> Rack1R3#telnet 167.1.13.1
> Trying 167.1.13.1 ... Open
>
>
> User Access Verification
>
> Password:
> [Connection to 167.1.13.1 closed by foreign host]
>
> =========
> Rack1R1(config)#
> Rack1R1(config)#do sh access-l
> Rack1R1(config)#do sh access-l
> Extended IP access list 100
> 10 Dynamic permit permit tcp any 167.1.23.0 0.0.0.255
> permit tcp any 167.1.23.0 0.0.0.255
> 20 deny tcp any 167.1.23.0 0.0.0.255
> 30 permit ip any any (34 matches)
>
> HTH
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Sean C
> Sent: Saturday, June 04, 2005 2:55 PM
> To: GroupStudy
> Subject: IEWB Vol 2 Lab2.10.1
>
>
> Hello,
>
> Thought I 'had' Lock-n-key down, but now I'm wondering...
>
> On IEWB's Volume 2 Lab 2, task 10.1 - can anyone explain why in this
> lock-and-key scenario the ACL doesn't need telnet allowed to the
receiving
> router, first, before the dynamic ACL. I understand the tcp 8080 on the
dynamic
> line, but shouldn't the user first need to authenticate to R3?
>
> From the CD, the fourth point:
> Configure Telnet as the protocol so that users must open a Telnet
session into
> the router to be authenticated before they can gain access through the
router.
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecu
> r_c/ftrafwl/scflock.htm#wp1001063
>
>
> Something like:
> ip access-list extended DYNAMIC
> permit tcp any host eq telnet
> dynamic WEB permit tcp any host 172.1.3.100 eq 8080
> deny ip any host 172.1.3.100
> permit ip any any
>
> As always, thanks,
> Sean
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:40 GMT-3