Re: Limitation in Lock-and-Key Configuration in IOS 12.3??

From: PhiL (theccie@gmail.com)
Date: Sat Mar 18 2006 - 10:59:33 GMT-3

• Next message: Chris Lewis: "Re: Priority command"
• Previous message: Schulz, Dave: "Re: Limitation in Lock-and-Key Configuration in IOS 12.3??"
• Maybe in reply to: Mushtaq A. Khan: "Limitation in Lock-and-Key Configuration in IOS 12.3??"
• Next in thread: Schulz, Dave: "RE: Limitation in Lock-and-Key Configuration in IOS 12.3??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Mushtaq,

Once you configure Lock and Key the default telnet port (23) will be used to
"unlock" telnet. You need to configure "rotary x" under line vty to be able
to telnet to the box itself:

line vty 0 4
 password unlock
 logging synchronous
 autocommand access-enable host timeout 1440
 transport input telnet ssh
line vty 5 100
 password unlock
 autocommand access-enable host timeout 1440
 transport input telnet ssh
line vty 101 150
 password cisco
 rotary 1
 transport input telnet ssh
line vty 151 181
 password cisco
 logging synchronous
 rotary 1
 transport input telnet ssh

In the example above line vty 0 100 will be used only to unlock the lock and
key, and line vty 101 181 will be used to telnet to the box itself on port
3001 (you must issue the command telnet x.x.x.x 3001 from your PC). You can
also reverse it and have the command rotary 1 under line vty 0 100 and
nothing under line vty 101 181. The rotary can be from 1 to 99 and the ports
will be 3001 to 3099 respectively.

PhiL

On 3/18/06, Schulz, Dave <DSchulz@dpsciences.com> wrote:
>
> Mushtaq - this is the correct operation (you don't need to use the key if
> already unlocked the door). Now, you should be able to get through the
> router by whatever method you have in your dynamic ACL. Give it a try
again
> and maybe post your configs too.
>
> Dave Schulz
> *** Sent from my Blackberry ***
>
> -----Original Message-----
> From: Mushtaq A. Khan <mak.ccie2b@gmail.com>
> To: Schulz, Dave <DSchulz@dpsciences.com>
> CC: Cisco certification <ccielab@groupstudy.com>
> Sent: Fri Mar 17 17:50:53 2006
> Subject: Re: Limitation in Lock-and-Key Configuration in IOS 12.3??
>
>
> Dave,
>
> You are right, The router took the command when I typed in. It is strange.
> Anyway, I have another issue that even though I have both the idle and
> absolute timeout configured but when I try to open telnet session from the
> Switch, the first session gets drop which is expected but when I try it
> second time I get the following message.
>
> % List#LOCK_KEY-MYACL already contains this IP address pair
>
> I tried it couple of time but no luck.
> I remember seeing similar issue with someone in the groupstudy posting but
> in my case it is not working.
>
> SW2#172.16.8.1
> Trying 172.16.8.1 ... Open
>
>
> User Access Verification
>
> Username: test
> Password:
> [Connection to 172.16.8.1 closed by foreign host]
> SW2#
> Rack01TS#1
> [Resuming connection 1 to r1 ... ]
>
> R1#sh ip access | beg LOCK
> Extended IP access list LOCK_KEY
> 10 permit tcp 172.16.8.0 0.0.0.255 host 172.16.8.1 eq telnet (81
> matches)
> 15 permit ip 172.16.8.0 0.0.0.255 any (21 matches)
> 20 Dynamic MYACL permit tcp 172.16.8.0 0.0.0.255 <http://0.0.0.255> any
> eq telnet
> permit tcp host 172.16.8.8 any eq telnet
>
> SW2#172.16.8.1
> Trying 172.16.8.1 ... Open
>
>
> User Access Verification
>
> Username: test
> Password:
> % List#LOCK_KEY-MYACL already contains this IP address pair
> [Connection to 172.16.8.1 closed by foreign host]
> SW2#
> Rack01TS#1
> [Resuming connection 1 to r1 ... ]
>
> R1#sh ip access | beg LOCK
> Extended IP access list LOCK_KEY
> 10 permit tcp 172.16.8.0 0.0.0.255 host 172.16.8.1 eq telnet (153
> matches)
> 15 permit ip 172.16.8.0 0.0.0.255 any (27 matches)
> 20 Dynamic MYACL permit tcp 172.16.8.0 0.0.0.255 <http://0.0.0.255> any
> eq telnet
> permit tcp host 172.16.8.8 any eq telnet
>
>
>
> Router Configurations:
>
>
> R1#sh run | inc username
> username test password 0 cisco
> username test autocommand access-enable host timeout 5
>
>
>
> R1#sh ip access | beg LOCK
> Extended IP access list LOCK_KEY
> 10 permit tcp 172.16.8.0 0.0.0.255 host 172.16.8.1 eq telnet
> 15 permit ip 172.16.8.0 0.0.0.255 any (1 match)
> 20 Dynamic MYACL permit tcp 172.16.8.0 0.0.0.255 <http://0.0.0.255> any
> eq telnet
>
> R1#sh run | beg vty
> line vty 0 4
> login local
>
> TIA
>
> Mushtaq
>
>
> On 3/17/06, Schulz, Dave <DSchulz@dpsciences.com> wrote:
>
> This should work. However, I have noticed that some of the 12.2
> versions do not show the autocommand access-enable timeout when you
> do a
> ?. But, it is in there. Go ahead and try it. (similar to the ip
> pim
> autorp listener command)
>
>
> Dave Schulz,
> Email: dschulz@dpsciences.com
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of
> Mushtaq A. Khan
> Sent: Friday, March 17, 2006 3:27 PM
> To: Cisco certification
> Subject: Limitation in Lock-and-Key Configuration in IOS 12.3??
>
> All,
>
> I am having trouble setting idle timeout with the *timeout* keyword
> in
> the *
> access-enable* command in the *autocommand* command. Is this an IOS
> limitation? I checked the DOC CD for 12.3 configuration and sounds
> like
> it
> should be supported.
>
> Am I missing anything here? Can any one shed some light on this? Is
> there a
> way I can achieve my goal as mentioned above?
>
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
> fsecu
> r_c/ftrafwl/scflock.htm#wp1001063
>
> R1(config)#username test autocommand ?
> LINE Command to be automatically issued after the user logs in
>
> R1(config-line)#autocommand ?
> LINE Appropriate EXEC command
> no-suppress-linenumber Display service linenumber message
>
>
>
> R1#sh ver
> Cisco Internetwork Operating System Software
> IOS (tm) C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.3
> (5a),
> RELEASE
> SOFTWARE (fc1)
> Copyright (c) 1986-2003 by cisco Systems, Inc.
> Compiled Tue 25-Nov-03 06:00 by kellythw
> Image text-base: 0x80008098, data-base: 0x81FFCCD8
>
> ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE
> SOFTWARE
> (fc1)
>
> R1 uptime is 3 days, 5 hours, 36 minutes
> System returned to ROM by reload
> System restarted at 02:19:26 UTC Tue Mar 14 2006
> System image file is "flash:c2600-adventerprisek9-mz.123-5a.bin"
>
> [....]
>
>
>
> TIA,
>
> Mushtaq
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

--
Regards,
PhiL

• Next message: Chris Lewis: "Re: Priority command"
• Previous message: Schulz, Dave: "Re: Limitation in Lock-and-Key Configuration in IOS 12.3??"
• Maybe in reply to: Mushtaq A. Khan: "Limitation in Lock-and-Key Configuration in IOS 12.3??"
• Next in thread: Schulz, Dave: "RE: Limitation in Lock-and-Key Configuration in IOS 12.3??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:39 GMT-3