Re: dynamic acl question (IE vs. CISCO)
From: John Matus (jmatus@pacbell.net)
Date: Wed Jun 22 2005 - 00:05:51 GMT-3
george,
ok, i'm trying to get this through my thick skull.
in your example is the control traffic:
> permit ospf any any
> permit tcp any any eq bgp
> permit pim any any
so you would be allow all routing and protocol traffic and only allowing
user x to telnet in if he authenticates to the router?
if this is correct then in the CISCO WAY
>acccess-list extended auto
> pemrit tcp host 1.2.3.4 host 150.1.1.1 eq telnet
> dynamic telnet timeout 120 pemit ip any any
this would allow only host 1.2.3.4 to telnet into host 150.1..1 AND,
the router would allow ip traffic to flow iff <if and only if> the user
first authenticates........<a bit confusing to me>
Regards,
John D. Matus
MCSE, CCNP
Office: 818-782-2061
Cell: 818-430-8372
jmatus@pacbell.net
----- Original Message -----
From: "George Cassels" <glcassels3@nc.rr.com>
To: "'John Matus'" <john_matus@hotmail.com>; <ccielab@groupstudy.com>
Sent: Tuesday, June 21, 2005 6:18 PM
Subject: RE: dynamic acl question (IE vs. CISCO)
> John
>
> So the first ACL if it said something like only allow telnet access
> to routers inside your network if the user authenticates with RouterX;
> permit all other traffic this is a good example. The second example you
> gave would be a scenario where only allow telnet access to routers
> inside your network if the user authenticates with RouterX and deny all
> other traffic.
>
> Some scenarios might say permit control traffic, allow telnet access to
> routers inside your network only if the user authenticates with routerx
> and deny all other traffic. In that case it may look like this
>
> access-list extended auto
> permit ospf any any
> permit tcp any any eq bgp
> permit pim any any
> dynamic telnet permit tcp host 1.2.3.4 host 150.1.1.1 eq telnet
>
>
> Hope this helps,
> George
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> John Matus
> Sent: Tuesday, June 21, 2005 6:14 PM
> To: ccielab@groupstudy.com
> Subject: dynamic acl question (IE vs. CISCO)
>
> i'm a bit confused about the "proper" way to configure a dynamic
> acl.........i've ready the "cisco" way and seen the "IE" way but am
> confused
> about which way to go.........
>
> let's say that i want to allow one telnet host into R1......i've seen 2
> ways
> to do it
>
> R1 (iIE WAY)
> user r1 password cisco
>
> line vty 0 4
> login local
> autocommand access enable host timeout 5
>
> access-list extended auto
> dynamic telent permit tcp host 1.2.3.4 host 150.1.1.1 eq telnet
> deny tcp any any eq telnet
> permit ip any any
>
> r1 (CISCO WAY)
> user r1 password cisco
>
> line vty 0 4
> login local
> autocommand access enable host timeout 5
>
> acccess-list extended auto
> pemrit tcp host 1.2.3.4 host 150.1.1.1 eq telnet
> dynamic telnet timeout 120 pemit ip any any
>
> what is the functional difference between the two?
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar � get it now!
> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4
: Wed Jul 06 2005 - 14:43:42 GMT-3