RE: IEWB Vol 2 Lab2.10.1

From: Wang Dehong-DWANG1 (Dehong.Wang@motorola.com)
Date: Sat Jun 04 2005 - 20:38:16 GMT-3

port 8080 has nothing related with telnet. It is just what kind of dynamic list you want to put to the router. At least this is what I think and will try to keep my reply shorter :) Again, telnet traffic must allowed into on the authentication router but it doesn't have to be state explicitely. Take the Doit lab 3 you mentioned. R1 is the authentication router so access-list must be able to allow telnet traffic into R1. R1 will allow WEB traffic to host 172.1.3.100 passthrough if user authenticates using lock-key.
 
ip access-list extended DYNAMIC
dynamic WEB permit tcp any host 172.1.3.100 eq 8080
deny ip any host 172.1.3.100
permit ip any any <---- this will implicitely allow telnet into R1, could be different depending on the requirment.
 
Pay attention to the differences before and after dynamic-list is activate in the output I had before.
 
Before dynamic-list is enabled:
=====================
Extended IP access list 100

10 Dynamic permit permit tcp any 167.1.23.0 0.0.0.255 <=== this list will be skipped for any packet checking.

20 deny tcp any 167.1.23.0 0.0.0.255 <=== so any tcp packet try to sent to 167.1.23.0/24 will be blocked

30 permit ip any any (2 matches)

After dynamic-list is enabled:

===================

Rack1R1(config)#do sh access-l

Extended IP access list 100

10 Dynamic permit permit tcp any 167.1.23.0 0.0.0.255

    permit tcp any 167.1.23.0 0.0.0.255 <======== any tcp packet sent to 167.1.23.0/24 will be alllowed

20 deny tcp any 167.1.23.0 0.0.0.255 <======== this one will be skipped since 10 allowed already.

30 permit ip any any (34 matches)

 
Also, dynamic list can be used to allow UDP or ICMP traffic instead of tcp traffic. I can write a test scenario which says only allow udp packet to host 172.1.3.100 on port 8080 to pass through R1. It will be something like this.
 
ip access-list extended DYN_UDP
dynamic WEB permit udp any host 172.1.3.100 eq 8080
deny udp any host 172.1.3.100
permit ip any any <---- this will implicitely allow user telnet into R1 to enable access.
 
sorry, still too long :)

-----Original Message-----
From: Sean C [mailto:Upp_and_Upp@hotmail.com]
Sent: Saturday, June 04, 2005 5:38 PM
To: sumit.kumar@comcast.net; Wang Dehong-DWANG1
Cc: GroupStudy
Subject: Re: IEWB Vol 2 Lab2.10.1

Hmmm, ok. Thanks for the answers (and I hate long emails) but now I'm really scratching my head...
 
Sumit - from your comment to Wang:
>You have permit ip any any which will permit all the traffic. If you want to allow all the traffic add it to dynamic entry
If everything is allowed before anything is denied, then the deny acl below the dynamic is never used since all traffic is allowed. I must be misunderstanding what you mean.
 
Wang & Sumit:
1-so telnet traffic is not a 'must' in an static ACL before the dynamic ACL in order for lock-n-key to work?
2-If true, does telnet traffic need to be at least allowed in the dynamic ACL for lock-n-key?
 
After some further research, I found a DoIT (Lab 3) that also does not have a static telnet before the dynamic. But, in that DoIT lab, telnet traffic is at least referenced in the dynamic ACL. My point of confusion is that on the IEWB Vol 2 Lab 2 task, telnet is not used at all in the ACL - before the dynamic ACL, in the dynamic ACL or after the dynamic ACL. One of the IEWB tasks' states: "Authenticated hosts should be able to access the server using only TCP port 8080". The server is at IP 172.1.3.100. I would not know if the TCP port 8080 is needed to access the router, or the server. From the wording, I would assume port 8080 is needed to access the server, not the router.
 
The posted solution is:
ip access-list extended DYNAMIC
dynamic WEB permit tcp any host 172.1.3.100 eq 8080
deny ip any host 172.1.3.100
permit ip any any
 
As you can see, there is no telnet in this lock-n-key. But port 8080 maybe enough if I'm understanding you 2 correctly. Appreciate any words of wisdom,
Sean

----- Original Message -----
From: sumit.kumar@comcast.net <mailto:sumit.kumar@comcast.net>
To: Wang Dehong-DWANG1 <mailto:Dehong.Wang@motorola.com> ; 'Sean <mailto:Upp_and_Upp@hotmail.com> C'
Cc: GroupStudy <mailto:ccielab@groupstudy.com>
Sent: Saturday, June 04, 2005 6:10 PM
Subject: RE: IEWB Vol 2 Lab2.10.1

Wang,
your point is correct but I beg not to agree with your config . You have permit ip any any which will permit all the traffic.
 If you want to allow all the traffic add it to dynamic entry.
 
Sean,
I guess the sequence of ACL do not matter as long as you are not denying telnet packets before permitting.
Make sure you do not permit the dynamic traffic by any other static entry.
 
 
5.5 is local router and 8.8 is connected router to which dynamic access is provided. Remote hosts telnets into 5.5 gets authenticated and then can telnet to 8.8 in both scenarios
 
see the first example permiting telnet to R5 before the dynamic seq
 
Extended IP access list 121
    1 permit tcp any host 150.1.5.5 eq telnet (306 matches)
    20 Dynamic sumit permit tcp any host 150.1.8.8 eq telnet permit tcp any host 150.1.8.8 eq telnet (14 matches)
    30 permit tcp any any eq 639 (4496 matches)
    110 deny ip any any log-input
 
 and secondly after dynamic sequnce
Extended IP access list 121
    20 Dynamic sumit permit tcp any host 150.1.8.8 eq telnet permit tcp any host 150.1.8.8 eq telnet (13 matches)
    21 permit tcp any host 150.1.5.5 eq telnet (159 matches)
    30 permit tcp any any eq 639 (5922 matches)
    110 deny ip any any log-input

-------------- Original message --------------

> Don't have the Vol 2, so I don't know exactly what the question is. Keep in mind
> that you always have to be able to telnet to the authentication router but for
> the access-list you don't have to exclusively have the telnet keyword. You just
> want some kind of traffic passthrough or not. You should permit your conditional
> entry with dynamic, then deny them if the condition does not meet(not authorized
> with lock-key), then permit what else needed. Here is an example, I want R1 to
> pass through tcp packet to subnet 167.1.23.0/24 using lock-key. I don't have to
> explicitlty to specify the telnet session to R1 since it is implicitely allowed.
>
> Rack1R1(config)#do sh access-l 100
> Extended IP access list 100
> 10 Dynamic permit permit tcp any 167.1.23.0 0.0.0.255
> 20 deny tcp any 167.1.23.0 0.0.0.255
> 30 permit ip any any (2 matches)
> Rack1R1(config)#
> Rack1R1(config)#
> Rack1R1(config)#do sh run int s0/1
> Building configuration...
>
> Current configuration : 123 bytes
> !
> interface Serial0/1
> ip address 167.1.13.1 255.255.255.0
> ip access-group 100 in
> ip router isis
> clockrate 128000
> End
>
> =======
> Rack1R3#telnet 167.1.13.1
> Trying 167.1.13.1 ... Open
>
>
> User Access Verification
>
> Password:
> [Connection to 167.1.13.1 closed by foreign host]
>
> =========
> Rack1R1(config)#
> Rack1R1(config)#do sh access-l
> Rack1R1(config)#do sh access-l
> Extended IP access list 100
> 10 Dynamic permit permit tcp any 167.1.23.0 0.0.0.255
> permit tcp any 167.1.23.0 0.0.0.255
> 20 deny tcp any 167.1.23.0 0.0.0.255
> 30 permit ip any any (34 matches)
>
> HTH
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Sean C
> Sent: Saturday, June 04, 2005 2:55 PM
> To: GroupStudy
> Subject: IEWB Vol 2 Lab2.10.1
>
>
> Hello,
>
> Thought I 'had' Lock-n-key down, but now I'm wondering...
>
> On IEWB's Volume 2 Lab 2, task 10.1 - can anyone explain why in this
> lock-and-key scenario the ACL doesn't need telnet allowed to the receiving
> router, first, before the dynamic ACL. I understand the tcp 8080 on the dynamic
> line, but shouldn't the user first need to authenticate to R3?
>
> From the CD, the fourth point:
> Configure Telnet as the protocol so that users must open a Telnet session into
> the router to be authenticated before they can gain access through the router.
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecu
> r_c/ftrafwl/scflock.htm#wp1001063
>
>
> Something like:
> ip access-list extended DYNAMIC
> permit tcp any host eq telnet
> dynamic WEB permit tcp any host 172.1.3.100 eq 8080
> deny ip any host 172.1.3.100
> permit ip any any
>
> As always, thanks,
> Sean
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:40 GMT-3