From: Sean C (Upp_and_Upp@hotmail.com)
Date: Sat Jun 04 2005 - 21:06:14 GMT-3
MessageHi Wang,
First - I'm sorry if you thought I meant your replies were too long. I was
actually trying to comment on the length of my emails simply because I don't
want to engage too much of your time by reading my long posts. Trust me, I am
enjoying reading everything you write. Apologize if my comment offended you,
it was meant more for me and my run-amok fingers.
I think I got what you mean now. As long telnet is allowed (even implicitly)
before the dynamic ACL, in the dynamic ACL or after the dynamic ACL AND before
the deny ip any any that's implicit at the end of any ACL, the telnet will
trigger to start the lock-n-key. After the telnet is authenticated, the
dynamic ACL will now be used (before authenticated, the dynamic ACL is
skipped).
Definitely, an eye opener and I greatly appreciate your time and patience!
Sean
PS - another tip of the hat to the Brian's for making me learn something I
thought I already knew!
----- Original Message -----
From: Wang Dehong-DWANG1
To: 'Sean C' ; sumit.kumar@comcast.net
Cc: GroupStudy
Sent: Saturday, June 04, 2005 7:38 PM
Subject: RE: IEWB Vol 2 Lab2.10.1
port 8080 has nothing related with telnet. It is just what kind of dynamic
list you want to put to the router. At least this is what I think and will try
to keep my reply shorter :) Again, telnet traffic must allowed into on the
authentication router but it doesn't have to be state explicitely. Take the
Doit lab 3 you mentioned. R1 is the authentication router so access-list must
be able to allow telnet traffic into R1. R1 will allow WEB traffic to host
172.1.3.100 passthrough if user authenticates using lock-key.
ip access-list extended DYNAMIC
dynamic WEB permit tcp any host 172.1.3.100 eq 8080
deny ip any host 172.1.3.100
permit ip any any <---- this will implicitely allow
telnet into R1, could be different depending on the requirment.
Pay attention to the differences before and after dynamic-list is activate
in the output I had before.
Before dynamic-list is enabled:
=====================
Extended IP access list 100
10 Dynamic permit permit tcp any 167.1.23.0 0.0.0.255 <=== this list will
be skipped for any packet checking.
20 deny tcp any 167.1.23.0 0.0.0.255 <=== so any
tcp packet try to sent to 167.1.23.0/24 will be blocked
30 permit ip any any (2 matches)
After dynamic-list is enabled:
===================
Rack1R1(config)#do sh access-l
Extended IP access list 100
10 Dynamic permit permit tcp any 167.1.23.0 0.0.0.255
permit tcp any 167.1.23.0 0.0.0.255 <======== any tcp packet
sent to 167.1.23.0/24 will be alllowed
20 deny tcp any 167.1.23.0 0.0.0.255 <======== this one will be
skipped since 10 allowed already.
30 permit ip any any (34 matches)
Also, dynamic list can be used to allow UDP or ICMP traffic instead of tcp
traffic. I can write a test scenario which says only allow udp packet to host
172.1.3.100 on port 8080 to pass through R1. It will be something like this.
ip access-list extended DYN_UDP
dynamic WEB permit udp any host 172.1.3.100 eq 8080
deny udp any host 172.1.3.100
permit ip any any <---- this will implicitely allow
user telnet into R1 to enable access.
sorry, still too long :)
-----Original Message-----
From: Sean C [mailto:Upp_and_Upp@hotmail.com]
Sent: Saturday, June 04, 2005 5:38 PM
To: sumit.kumar@comcast.net; Wang Dehong-DWANG1
Cc: GroupStudy
Subject: Re: IEWB Vol 2 Lab2.10.1
Hmmm, ok. Thanks for the answers (and I hate long emails) but now I'm
really scratching my head...
Sumit - from your comment to Wang:
>You have permit ip any any which will permit all the traffic. If you
want to allow all the traffic add it to dynamic entry
If everything is allowed before anything is denied, then the deny acl
below the dynamic is never used since all traffic is allowed. I must be
misunderstanding what you mean.
Wang & Sumit:
1-so telnet traffic is not a 'must' in an static ACL before the dynamic
ACL in order for lock-n-key to work?
2-If true, does telnet traffic need to be at least allowed in the dynamic
ACL for lock-n-key?
After some further research, I found a DoIT (Lab 3) that also does not
have a static telnet before the dynamic. But, in that DoIT lab, telnet
traffic is at least referenced in the dynamic ACL. My point of confusion is
that on the IEWB Vol 2 Lab 2 task, telnet is not used at all in the ACL -
before the dynamic ACL, in the dynamic ACL or after the dynamic ACL. One of
the IEWB tasks' states: "Authenticated hosts should be able to access the
server using only TCP port 8080". The server is at IP 172.1.3.100. I would
not know if the TCP port 8080 is needed to access the router, or the server.
From the wording, I would assume port 8080 is needed to access the server, not
the router.
The posted solution is:
ip access-list extended DYNAMIC
dynamic WEB permit tcp any host 172.1.3.100 eq 8080
deny ip any host 172.1.3.100
permit ip any any
As you can see, there is no telnet in this lock-n-key. But port 8080
maybe enough if I'm understanding you 2 correctly. Appreciate any words of
wisdom,
Sean
----- Original Message -----
From: sumit.kumar@comcast.net
To: Wang Dehong-DWANG1 ; 'Sean C'
Cc: GroupStudy
Sent: Saturday, June 04, 2005 6:10 PM
Subject: RE: IEWB Vol 2 Lab2.10.1
Wang,
your point is correct but I beg not to agree with your config . You have
permit ip any any which will permit all the traffic.
If you want to allow all the traffic add it to dynamic entry.
Sean,
I guess the sequence of ACL do not matter as long as you are not denying
telnet packets before permitting.
Make sure you do not permit the dynamic traffic by any other static
entry.
5.5 is local router and 8.8 is connected router to which dynamic access
is provided. Remote hosts telnets into 5.5 gets authenticated and then can
telnet to 8.8 in both scenarios
see the first example permiting telnet to R5 before the dynamic seq
Extended IP access list 121
1 permit tcp any host 150.1.5.5 eq telnet (306 matches)
20 Dynamic sumit permit tcp any host 150.1.8.8 eq telnet permit tcp
any host 150.1.8.8 eq telnet (14 matches)
30 permit tcp any any eq 639 (4496 matches)
110 deny ip any any log-input
and secondly after dynamic sequnce
Extended IP access list 121
20 Dynamic sumit permit tcp any host 150.1.8.8 eq telnet permit tcp
any host 150.1.8.8 eq telnet (13 matches)
21 permit tcp any host 150.1.5.5 eq telnet (159 matches)
30 permit tcp any any eq 639 (5922 matches)
110 deny ip any any log-input
-------------- Original message --------------
> Don't have the Vol 2, so I don't know exactly what the question is.
Keep in mind
> that you always have to be able to telnet to the authentication
router but for
> the access-list you don't have to exclusively have the telnet
keyword. You just
> want some kind of traffic passthrough or not. You should permit your
conditional
> entry with dynamic, then deny them if the condition does not
meet(not authorized
> with lock-key), then permit what else needed. Here is an example, I
want R1 to
> pass through tcp packet to subnet 167.1.23.0/24 using lock-key. I
don't have to
> explicitlty to specify the telnet session to R1 since it is
implicitely allowed.
>
> Rack1R1(config)#do sh access-l 100
> Extended IP access list 100
> 10 Dynamic permit permit tcp any 167.1.23.0 0.0.0.255
> 20 deny tcp any 167.1.23.0 0.0.0.255
> 30 permit ip any any (2 matches)
> Rack1R1(config)#
> Rack1R1(config)#
> Rack1R1(config)#do sh run int s0/1
> Building configuration...
>
> Current configuration : 123 bytes
> !
> interface Serial0/1
> ip address 167.1.13.1 255.255.255.0
> ip access-group 100 in
> ip router isis
> clockrate 128000
> End
>
> =======
> Rack1R3#telnet 167.1.13.1
> Trying 167.1.13.1 ... Open
>
>
> User Access Verification
>
> Password:
> [Connection to 167.1.13.1 closed by foreign host]
>
> =========
> Rack1R1(config)#
> Rack1R1(config)#do sh access-l
> Rack1R1(config)#do sh access-l
> Extended IP access list 100
> 10 Dynamic permit permit tcp any 167.1.23.0 0.0.0.255
> permit tcp any 167.1.23.0 0.0.0.255
> 20 deny tcp any 167.1.23.0 0.0.0.255
> 30 permit ip any any (34 matches)
>
> HTH
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of Sean C
> Sent: Saturday, June 04, 2005 2:55 PM
> To: GroupStudy
> Subject: IEWB Vol 2 Lab2.10.1
>
>
> Hello,
>
> Thought I 'had' Lock-n-key down, but now I'm wondering...
>
> On IEWB's Volume 2 Lab 2, task 10.1 - can anyone explain why in this
> lock-and-key scenario the ACL doesn't need telnet allowed to the
receiving
> router, first, before the dynamic ACL. I understand the tcp 8080 on
the dynamic
> line, but shouldn't the user first need to authenticate to R3?
>
> From the CD, the fourth point:
> Configure Telnet as the protocol so that users must open a Telnet
session into
> the router to be authenticated before they can gain access through
the router.
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecu
> r_c/ftrafwl/scflock.htm#wp1001063
>
>
> Something like:
> ip access-list extended DYNAMIC
> permit tcp any host eq telnet
> dynamic WEB permit tcp any host 172.1.3.100 eq 8080
> deny ip any host 172.1.3.100
> permit ip any any
>
> As always, thanks,
> Sean
>
>
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:40 GMT-3