From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Sat Mar 18 2006 - 20:52:32 GMT-3
Mushtaq -
It doing what it should (you are trrying to open and already opened door). Now, go ahead and try to connect to a router on the OTHER side of the router that is configured with lock and key. You should be able to as long as the dynamic acl is active.
Dave Schulz
*** Sent from my Blackberry ***
-----Original Message-----
From: Mushtaq A. Khan <mak.ccie2b@gmail.com>
To: PhiL <theccie@gmail.com>; Schulz, Dave <DSchulz@dpsciences.com>
CC: ccielab@groupstudy.com <ccielab@groupstudy.com>
Sent: Sat Mar 18 11:03:00 2006
Subject: Re: Limitation in Lock-and-Key Configuration in IOS 12.3??
Phil,
Thanks, I didn't quite get your solution. Could you please look at my config in the attached email thread and provide me a solution.
Dave,
I was still getting the same message (% List#LOCK_KEY-MYACL already contains this IP address pair) until I used "autocommand-options nohangup". Did you have to use the autocommand hangup in your lab as well? The other thing I noticed is that I see a new dynamic ACL created but I don't see a match in dynamic ACL. I believe I should see this.
The way I am testing this without the "autocommand hangup" is that I first try to open telnet session from the Switch, the first session gets drop which is expected but when I try it second time I get the following message. Am I testing it correctly? I didn't find a reference to use the autocommand hangup command to make this work.
% List#LOCK_KEY-MYACL already contains this IP address pair
username test password 0 cisco
Extended IP access list LOCK_KEY
30 permit tcp 172.16.18.0 0.0.0.255 host 172.16.18.1 eq telnet (3615 matches)
50 Dynamic MYACL permit tcp 172.16.18.0 <http://172.16.18.0> 0.0.0.255 any eq telnet
permit tcp host 172.16.18.8 any eq telnet
60 permit ip any any (890 matches)
line vty 0 4
login local
autocommand access-enable host timeout 2
autocommand-options nohangup
Mushtaq
On 3/18/06, PhiL <theccie@gmail.com> wrote:
Mushtaq,
Once you configure Lock and Key the default telnet port (23) will be used to "unlock" telnet. You need to configure "rotary x" under line vty to be able to telnet to the box itself:
line vty 0 4
password unlock
logging synchronous
autocommand access-enable host timeout 1440
transport input telnet ssh
line vty 5 100
password unlock
autocommand access-enable host timeout 1440
transport input telnet ssh
line vty 101 150
password cisco
rotary 1
transport input telnet ssh
line vty 151 181
password cisco
logging synchronous
rotary 1
transport input telnet ssh
In the example above line vty 0 100 will be used only to unlock the lock and key, and line vty 101 181 will be used to telnet to the box itself on port 3001 (you must issue the command telnet x.x.x.x 3001 from your PC). You can also reverse it and have the command rotary 1 under line vty 0 100 and nothing under line vty 101 181. The rotary can be from 1 to 99 and the ports will be 3001 to 3099 respectively.
PhiL
On 3/18/06, Schulz, Dave < DSchulz@dpsciences.com <mailto:DSchulz@dpsciences.com> > wrote:
Mushtaq - this is the correct operation (you don't need to use the key if already unlocked the door). Now, you should be able to get through the router by whatever method you have in your dynamic ACL. Give it a try again and maybe post your configs too.
Dave Schulz
*** Sent from my Blackberry ***
-----Original Message-----
From: Mushtaq A. Khan < mak.ccie2b@gmail.com <mailto:mak.ccie2b@gmail.com> >
To: Schulz, Dave < DSchulz@dpsciences.com <mailto:DSchulz@dpsciences.com> >
CC: Cisco certification < ccielab@groupstudy.com>
Sent: Fri Mar 17 17:50:53 2006
Subject: Re: Limitation in Lock-and-Key Configuration in IOS 12.3??
Dave,
You are right, The router took the command when I typed in. It is strange.
Anyway, I have another issue that even though I have both the idle and absolute timeout configured but when I try to open telnet session from the Switch, the first session gets drop which is expected but when I try it second time I get the following message.
% List#LOCK_KEY-MYACL already contains this IP address pair
I tried it couple of time but no luck.
I remember seeing similar issue with someone in the groupstudy posting but in my case it is not working.
SW2#172.16.8.1
Trying 172.16.8.1 <http://172.16.8.1/> ... Open
User Access Verification
Username: test
Password:
[Connection to 172.16.8.1 <http://172.16.8.1/> closed by foreign host]
SW2#
Rack01TS#1
[Resuming connection 1 to r1 ... ]
R1#sh ip access | beg LOCK
Extended IP access list LOCK_KEY
10 permit tcp 172.16.8.0 <http://172.16.8.0/> 0.0.0.255 <http://0.0.0.255/> host 172.16.8.1 <http://172.16.8.1/> eq telnet (81 matches)
15 permit ip 172.16.8.0 <http://172.16.8.0/> 0.0.0.255 <http://0.0.0.255/> any (21 matches)
20 Dynamic MYACL permit tcp 172.16.8.0 <http://172.16.8.0/> 0.0.0.255 <http://0.0.0.255/> < http://0.0.0.255 <http://0.0.0.255/> > any eq telnet
permit tcp host 172.16.8.8 <http://172.16.8.8/> any eq telnet
SW2#172.16.8.1
Trying 172.16.8.1 <http://172.16.8.1/> ... Open
User Access Verification
Username: test
Password:
% List#LOCK_KEY-MYACL already contains this IP address pair
[Connection to 172.16.8.1 <http://172.16.8.1/> closed by foreign host]
SW2#
Rack01TS#1
[Resuming connection 1 to r1 ... ]
R1#sh ip access | beg LOCK
Extended IP access list LOCK_KEY
10 permit tcp 172.16.8.0 <http://172.16.8.0/> 0.0.0.255 <http://0.0.0.255/> host 172.16.8.1 <http://172.16.8.1/> eq telnet (153 matches)
15 permit ip 172.16.8.0 <http://172.16.8.0/> 0.0.0.255 <http://0.0.0.255/> any (27 matches)
20 Dynamic MYACL permit tcp 172.16.8.0 <http://172.16.8.0/> 0.0.0.255 <http://0.0.0.255/> < http://0.0.0.255 <http://0.0.0.255/> > any eq telnet
permit tcp host 172.16.8.8 <http://172.16.8.8/> any eq telnet
Router Configurations:
R1#sh run | inc username
username test password 0 cisco
username test autocommand access-enable host timeout 5
R1#sh ip access | beg LOCK
Extended IP access list LOCK_KEY
10 permit tcp 172.16.8.0 <http://172.16.8.0/> 0.0.0.255 <http://0.0.0.255/> host 172.16.8.1 <http://172.16.8.1/> eq telnet
15 permit ip 172.16.8.0 <http://172.16.8.0/> 0.0.0.255 <http://0.0.0.255/> any (1 match)
20 Dynamic MYACL permit tcp 172.16.8.0 <http://172.16.8.0/> 0.0.0.255 <http://0.0.0.255/> < http://0.0.0.255 <http://0.0.0.255/> > any eq telnet
R1#sh run | beg vty
line vty 0 4
login local
TIA
Mushtaq
On 3/17/06, Schulz, Dave < DSchulz@dpsciences.com <mailto:DSchulz@dpsciences.com> > wrote:
This should work. However, I have noticed that some of the 12.2
versions do not show the autocommand access-enable timeout when you do a
?. But, it is in there. Go ahead and try it. (similar to the ip pim
autorp listener command)
Dave Schulz,
Email: dschulz@dpsciences.com
-----Original Message-----
From: nobody@groupstudy.com [mailto: nobody@groupstudy.com <mailto:nobody@groupstudy.com> ] On Behalf Of
Mushtaq A. Khan
Sent: Friday, March 17, 2006 3:27 PM
To: Cisco certification
Subject: Limitation in Lock-and-Key Configuration in IOS 12.3??
All,
I am having trouble setting idle timeout with the *timeout* keyword in
the *
access-enable* command in the *autocommand* command. Is this an IOS
limitation? I checked the DOC CD for 12.3 configuration and sounds like
it
should be supported.
Am I missing anything here? Can any one shed some light on this? Is
there a
way I can achieve my goal as mentioned above?
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ <http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/>
fsecu
r_c/ftrafwl/scflock.htm#wp1001063
R1(config)#username test autocommand ?
LINE Command to be automatically issued after the user logs in
R1(config-line)#autocommand ?
LINE Appropriate EXEC command
no-suppress-linenumber Display service linenumber message
R1#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.3(5a),
RELEASE
SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 25-Nov-03 06:00 by kellythw
Image text-base: 0x80008098, data-base: 0x81FFCCD8
ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE
(fc1)
R1 uptime is 3 days, 5 hours, 36 minutes
System returned to ROM by reload
System restarted at 02:19:26 UTC Tue Mar 14 2006
System image file is "flash:c2600-adventerprisek9-mz.123-5a.bin"
[....]
TIA,
Mushtaq
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html <http://www.groupstudy.com/list/CCIELab.html>
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html <http://www.groupstudy.com/list/CCIELab.html>
--
Regards,
PhiL
This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:39 GMT-3