From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Sat Mar 18 2006 - 11:52:28 GMT-3
That is a great solution! You can also do this with the autocommand in the
local username, and keep a separate username/password association for telnet.
Here is a config that I threw together for your viewing. Just a note on the
access-lists, make sure that you allow for the routing protocols and any other
traffic that is permitted (unless you only want to establish neighbor
relationships after the lock and key is enabled). :-)
Dave
!
hostname R2
!
username lock password 0 cisco
username lock autocommand access-enable timeout 60
username telnet password 0 cisco
ip subnet-zero
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Serial0
ip address 192.168.1.2 255.255.255.0
ip access-group LOCK in
encapsulation frame-relay
ip ospf priority 0
frame-relay map ip 192.168.1.1 201 broadcast
frame-relay map ip 192.168.1.2 201
frame-relay map ip 192.168.1.3 201
frame-relay map ip 192.168.1.4 201
no frame-relay inverse-arp
frame-relay lmi-type ansi
!
interface Serial1
ip address 20.2.2.2 255.255.255.0
encapsulation ppp
!
router ospf 1
log-adjacency-changes
redistribute eigrp 100 subnets
network 2.2.2.2 0.0.0.0 area 2
network 192.168.1.0 0.0.0.255 area 0
!
ip access-list extended LOCK
permit tcp any host 2.2.2.2 eq telnet
dynamic KEY timeout 60 permit ip any any
permit ospf any any
!
line con 0
line aux 0
line vty 0 4
login local
!
end
________________________________
From: PhiL [mailto:theccie@gmail.com]
Sent: Sat 3/18/2006 8:59 AM
To: Schulz, Dave
Cc: mak.ccie2b@gmail.com; ccielab@groupstudy.com
Subject: Re: Limitation in Lock-and-Key Configuration in IOS 12.3??
Mushtaq,
Once you configure Lock and Key the default telnet port (23) will be used to
"unlock" telnet. You need to configure "rotary x" under line vty to be able to
telnet to the box itself:
line vty 0 4
password unlock
logging synchronous
autocommand access-enable host timeout 1440
transport input telnet ssh
line vty 5 100
password unlock
autocommand access-enable host timeout 1440
transport input telnet ssh
line vty 101 150
password cisco
rotary 1
transport input telnet ssh
line vty 151 181
password cisco
logging synchronous
rotary 1
transport input telnet ssh
In the example above line vty 0 100 will be used only to unlock the lock and
key, and line vty 101 181 will be used to telnet to the box itself on port
3001 (you must issue the command telnet x.x.x.x 3001 from your PC). You can
also reverse it and have the command rotary 1 under line vty 0 100 and nothing
under line vty 101 181. The rotary can be from 1 to 99 and the ports will be
3001 to 3099 respectively.
PhiL
On 3/18/06, Schulz, Dave <DSchulz@dpsciences.com> wrote:
Mushtaq - this is the correct operation (you don't need to use the key if
already unlocked the door). Now, you should be able to get through the router
by whatever method you have in your dynamic ACL. Give it a try again and
maybe post your configs too.
Dave Schulz
*** Sent from my Blackberry ***
-----Original Message-----
From: Mushtaq A. Khan <mak.ccie2b@gmail.com>
To: Schulz, Dave < DSchulz@dpsciences.com <mailto:DSchulz@dpsciences.com> >
CC: Cisco certification <ccielab@groupstudy.com>
Sent: Fri Mar 17 17:50:53 2006
Subject: Re: Limitation in Lock-and-Key Configuration in IOS 12.3??
Dave,
You are right, The router took the command when I typed in. It is strange.
Anyway, I have another issue that even though I have both the idle and
absolute timeout configured but when I try to open telnet session from the
Switch, the first session gets drop which is expected but when I try it second
time I get the following message.
% List#LOCK_KEY-MYACL already contains this IP address pair
I tried it couple of time but no luck.
I remember seeing similar issue with someone in the groupstudy posting but in
my case it is not working.
SW2#172.16.8.1
Trying 172.16.8.1 ... Open
User Access Verification
Username: test
Password:
[Connection to 172.16.8.1 closed by foreign host]
SW2#
Rack01TS#1
[Resuming connection 1 to r1 ... ]
R1#sh ip access | beg LOCK
Extended IP access list LOCK_KEY
10 permit tcp 172.16.8.0 0.0.0.255 host 172.16.8.1 eq telnet (81 matches)
15 permit ip 172.16.8.0 0.0.0.255 any (21 matches)
20 Dynamic MYACL permit tcp 172.16.8.0 0.0.0.255 <http://0.0.0.255> any
eq telnet
permit tcp host 172.16.8.8 any eq telnet
SW2#172.16.8.1
Trying 172.16.8.1 ... Open
User Access Verification
Username: test
Password:
% List#LOCK_KEY-MYACL already contains this IP address pair
[Connection to 172.16.8.1 closed by foreign host]
SW2#
Rack01TS#1
[Resuming connection 1 to r1 ... ]
R1#sh ip access | beg LOCK
Extended IP access list LOCK_KEY
10 permit tcp 172.16.8.0 0.0.0.255 host 172.16.8.1 eq telnet (153
matches)
15 permit ip 172.16.8.0 0.0.0.255 any (27 matches)
20 Dynamic MYACL permit tcp 172.16.8.0 0.0.0.255 <http://0.0.0.255> any
eq telnet
permit tcp host 172.16.8.8 any eq telnet
Router Configurations:
R1#sh run | inc username
username test password 0 cisco
username test autocommand access-enable host timeout 5
R1#sh ip access | beg LOCK
Extended IP access list LOCK_KEY
10 permit tcp 172.16.8.0 0.0.0.255 host 172.16.8.1 eq telnet
15 permit ip 172.16.8.0 0.0.0.255 any (1 match)
20 Dynamic MYACL permit tcp 172.16.8.0 0.0.0.255 <http://0.0.0.255> any
eq telnet
R1#sh run | beg vty
line vty 0 4
login local
TIA
Mushtaq
On 3/17/06, Schulz, Dave < DSchulz@dpsciences.com
<mailto:DSchulz@dpsciences.com> > wrote:
This should work. However, I have noticed that some of the 12.2
versions do not show the autocommand access-enable timeout when you do
a
?. But, it is in there. Go ahead and try it. (similar to the ip pim
autorp listener command)
Dave Schulz,
Email: dschulz@dpsciences.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
Mushtaq A. Khan
Sent: Friday, March 17, 2006 3:27 PM
To: Cisco certification
Subject: Limitation in Lock-and-Key Configuration in IOS 12.3??
All,
I am having trouble setting idle timeout with the *timeout* keyword
in
the *
access-enable* command in the *autocommand* command. Is this an IOS
limitation? I checked the DOC CD for 12.3 configuration and sounds
like
it
should be supported.
Am I missing anything here? Can any one shed some light on this? Is
there a
way I can achieve my goal as mentioned above?
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cg
cr/
fsecu
r_c/ftrafwl/scflock.htm#wp1001063
R1(config)#username test autocommand ?
LINE Command to be automatically issued after the user logs in
R1(config-line)#autocommand ?
LINE Appropriate EXEC command
no-suppress-linenumber Display service linenumber message
R1#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.3(5a),
RELEASE
SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 25-Nov-03 06:00 by kellythw
Image text-base: 0x80008098, data-base: 0x81FFCCD8
ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE
(fc1)
R1 uptime is 3 days, 5 hours, 36 minutes
System returned to ROM by reload
System restarted at 02:19:26 UTC Tue Mar 14 2006
System image file is "flash:c2600-adventerprisek9-mz.123-5a.bin"
[....]
TIA,
Mushtaq
_____________________________________________________________________
__
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
-- Regards,PhiL
This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:39 GMT-3