From: PhiL (theccie@gmail.com)
Date: Sat Mar 18 2006 - 22:54:35 GMT-3
Mushtaq,
Once you configure Lock-and-Key, telnet to the router will always be used to
"unlock" the ACL, everytime you telnet to the router it will try to open the
ACL and you will get the message "% List#LOCK_KEY-MYACL already contains
this IP address pair" after the first time because the ACL has already been
configured. Lock-and-Key is used to control traffic through the router and
not to the router. You will need to get creative to allow traffic to the
router. Dave's solution is very good but you will need to have one username
to open the ACL to allow traffic through the router and another username
to allow telnet to the router. My solution uses the same username for both
but with different TCP ports for each, regular telnet (port 23) opens the
ACL and port 3001 is used to telnet to the router. Here is my complete
configuration:
aaa new-model
aaa authentication login default local
aaa authentication login NONEED none
aaa authorization exec default if-authenticated
enable secret cisco
!
username phil password cisco
ip domain-name ccielab.com
ip host S1 2008 1.1.1.1
ip host R7 2007 1.1.1.1
ip host R1 2001 1.1.1.1
ip host R6 2006 1.1.1.1
ip host R5 2005 1.1.1.1
ip host R4 2004 1.1.1.1
ip host R3 2003 1.1.1.1
ip host R2 2002 1.1.1.1
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0
ip address 172.16.1.11 255.255.255.0
ip access-group 150 in
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
!
access-list 150 dynamic lockkey timeout 1440 permit ip any any
access-list 150 deny ip any any log
!
line 1 16
no exec
exec-timeout 0 0
login authentication NONEED
transport input all
line vty 0 4
password cisco
logging synchronous
autocommand access-enable host timeout 1440
transport input telnet ssh
line vty 5 100
password cisco
autocommand access-enable host timeout 1440
transport input telnet ssh
line vty 101 150
password cisco
transport input telnet ssh
line vty 151 181
password cisco
logging synchronous
rotary 1
transport input telnet ssh
!
end
I have this configuration in my 2511 to access the devices in my lab. Dave's
solution is more elegant for a production environment where you would
probably have TACACS+ enabled and regular users authentication would
activate lock-and-key while network management would telnet right into the
box bypassing the lock-and-key. I am reposting Dave's config to keep it all
in the same post:
hostname R2
!
username lock password 0 cisco
username lock autocommand access-enable timeout 60
username telnet password 0 cisco
ip subnet-zero
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Serial0
ip address 192.168.1.2 255.255.255.0
ip access-group LOCK in
encapsulation frame-relay
ip ospf priority 0
frame-relay map ip 192.168.1.1 201 broadcast
frame-relay map ip 192.168.1.2 201
frame-relay map ip 192.168.1.3 201
frame-relay map ip 192.168.1.4 201
no frame-relay inverse-arp
frame-relay lmi-type ansi
!
interface Serial1
ip address 20.2.2.2 255.255.255.0
encapsulation ppp
!
router ospf 1
log-adjacency-changes
redistribute eigrp 100 subnets
network 2.2.2.2 0.0.0.0 area 2
network 192.168.1.0 0.0.0.255 area 0
!
ip access-list extended LOCK
permit tcp any host 2.2.2.2 eq telnet
dynamic KEY timeout 60 permit ip any any
permit ospf any any
!
line con 0
line aux 0
line vty 0 4
login local
!
end
On 3/18/06, Mushtaq A. Khan <mak.ccie2b@gmail.com> wrote:
>
>
> Phil,
>
> Thanks, I didn't quite get your solution. Could you please look at my
> config in the attached email thread and provide me a solution.
>
> Dave,
> I was still getting the same message (% List#LOCK_KEY-MYACL already
> contains this IP address pair) until I used "autocommand-options nohangup".
> Did you have to use the autocommand hangup in your lab as well? The other
> thing I noticed is that I see a new dynamic ACL created but I don't see a
> match in dynamic ACL. I believe I should see this.
>
> The way I am testing this without the "autocommand hangup" is that I first
> try to open telnet session from the Switch, the first session gets drop
> which is expected but when I try it second time I get the following
message.
> Am I testing it correctly? I didn't find a reference to use the autocommand
> hangup command to make this work.
>
>
> % List#LOCK_KEY-MYACL already contains this IP address pair
>
>
> username test password 0 cisco
>
> Extended IP access list LOCK_KEY
> 30 permit tcp 172.16.18.0 0.0.0.255 host 172.16.18.1 eq telnet (3615
> matches)
> 50 Dynamic MYACL permit tcp 172.16.18.0 0.0.0.255 any eq telnet
> permit tcp host 172.16.18.8 any eq telnet
> 60 permit ip any any (890 matches)
>
>
> line vty 0 4
> login local
> autocommand access-enable host timeout 2
> autocommand-options nohangup
>
> Mushtaq
>
> On 3/18/06, PhiL <theccie@gmail.com> wrote:
> >
> > Mushtaq,
> >
> > Once you configure Lock and Key the default telnet port (23) will be
> > used to "unlock" telnet. You need to configure "rotary x" under line vty
to
> > be able to telnet to the box itself:
> >
> > line vty 0 4
> > password unlock
> > logging synchronous
> > autocommand access-enable host timeout 1440
> > transport input telnet ssh
> > line vty 5 100
> > password unlock
> > autocommand access-enable host timeout 1440
> > transport input telnet ssh
> > line vty 101 150
> > password cisco
> > rotary 1
> > transport input telnet ssh
> > line vty 151 181
> > password cisco
> > logging synchronous
> > rotary 1
> > transport input telnet ssh
> >
> > In the example above line vty 0 100 will be used only to unlock the lock
> > and key, and line vty 101 181 will be used to telnet to the box itself on
> > port 3001 (you must issue the command telnet x.x.x.x 3001 from your PC).
> > You can also reverse it and have the command rotary 1 under line vty 0
100
> > and nothing under line vty 101 181. The rotary can be from 1 to 99 and
the
> > ports will be 3001 to 3099 respectively.
> >
> > PhiL
> >
> >
> > On 3/18/06, Schulz, Dave < DSchulz@dpsciences.com> wrote:
> >
> > > Mushtaq - this is the correct operation (you don't need to use the key
> > if already unlocked the door). Now, you should be able to get through
the
> > router by whatever method you have in your dynamic ACL. Give it a try
again
> > and maybe post your configs too.
> >
> > Dave Schulz
> > *** Sent from my Blackberry ***
> >
> > -----Original Message-----
> > From: Mushtaq A. Khan < mak.ccie2b@gmail.com>
> > To: Schulz, Dave < DSchulz@dpsciences.com>
> > CC: Cisco certification < ccielab@groupstudy.com>
> > Sent: Fri Mar 17 17:50:53 2006
> > Subject: Re: Limitation in Lock-and-Key Configuration in IOS 12.3??
> >
> >
> > Dave,
> >
> > You are right, The router took the command when I typed in. It is
> > strange.
> > Anyway, I have another issue that even though I have both the idle and
> > absolute timeout configured but when I try to open telnet session from
the
> > Switch, the first session gets drop which is expected but when I try it
> > second time I get the following message.
> >
> > % List#LOCK_KEY-MYACL already contains this IP address pair
> >
> > I tried it couple of time but no luck.
> > I remember seeing similar issue with someone in the groupstudy posting
> > but in my case it is not working.
> >
> > SW2#172.16.8.1
> > Trying 172.16.8.1 ... Open
> >
> >
> > User Access Verification
> >
> > Username: test
> > Password:
> > [Connection to 172.16.8.1 closed by foreign host]
> > SW2#
> > Rack01TS#1
> > [Resuming connection 1 to r1 ... ]
> >
> > R1#sh ip access | beg LOCK
> > Extended IP access list LOCK_KEY
> > 10 permit tcp 172.16.8.0 0.0.0.255 host 172.16.8.1 eq telnet (81
> > matches)
> > 15 permit ip 172.16.8.0 0.0.0.255 any (21 matches)
> > 20 Dynamic MYACL permit tcp 172.16.8.0 0.0.0.255 < http://0.0.0.255>
any
> > eq telnet
> > permit tcp host 172.16.8.8 any eq telnet
> >
> > SW2#172.16.8.1
> > Trying 172.16.8.1 ... Open
> >
> >
> > User Access Verification
> >
> > Username: test
> > Password:
> > % List#LOCK_KEY-MYACL already contains this IP address pair
> > [Connection to 172.16.8.1 closed by foreign host]
> > SW2#
> > Rack01TS#1
> > [Resuming connection 1 to r1 ... ]
> >
> > R1#sh ip access | beg LOCK
> > Extended IP access list LOCK_KEY
> > 10 permit tcp 172.16.8.0 0.0.0.255 host 172.16.8.1 eq telnet (153
> > matches)
> > 15 permit ip 172.16.8.0 0.0.0.255 any (27 matches)
> > 20 Dynamic MYACL permit tcp 172.16.8.0 0.0.0.255 < http://0.0.0.255>
any
> > eq telnet
> > permit tcp host 172.16.8.8 any eq telnet
> >
> >
> >
> > Router Configurations:
> >
> >
> > R1#sh run | inc username
> > username test password 0 cisco
> > username test autocommand access-enable host timeout 5
> >
> >
> >
> > R1#sh ip access | beg LOCK
> > Extended IP access list LOCK_KEY
> > 10 permit tcp 172.16.8.0 0.0.0.255 host 172.16.8.1 eq telnet
> > 15 permit ip 172.16.8.0 0.0.0.255 any (1 match)
> > 20 Dynamic MYACL permit tcp 172.16.8.0 0.0.0.255 < http://0.0.0.255>
any
> > eq telnet
> >
> > R1#sh run | beg vty
> > line vty 0 4
> > login local
> >
> > TIA
> >
> > Mushtaq
> >
> >
> > On 3/17/06, Schulz, Dave < DSchulz@dpsciences.com> wrote:
> >
> > This should work. However, I have noticed that some of the 12.2
> > versions do not show the autocommand access-enable timeout when
> > you do a
> > ?. But, it is in there. Go ahead and try it. (similar to the ip
> > pim
> > autorp listener command)
> >
> >
> > Dave Schulz,
> > Email: dschulz@dpsciences.com
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On
> > Behalf Of
> > Mushtaq A. Khan
> > Sent: Friday, March 17, 2006 3:27 PM
> > To: Cisco certification
> > Subject: Limitation in Lock-and-Key Configuration in IOS 12.3??
> >
> > All,
> >
> > I am having trouble setting idle timeout with the *timeout*
> > keyword in
> > the *
> > access-enable* command in the *autocommand* command. Is this an
> > IOS
> > limitation? I checked the DOC CD for 12.3 configuration and
> > sounds like
> > it
> > should be supported.
> >
> > Am I missing anything here? Can any one shed some light on this?
> > Is
> > there a
> > way I can achieve my goal as mentioned above?
> >
> >
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
> >
> > fsecu
> > r_c/ftrafwl/scflock.htm#wp1001063
> >
> > R1(config)#username test autocommand ?
> > LINE Command to be automatically issued after the user logs in
> >
> > R1(config-line)#autocommand ?
> > LINE Appropriate EXEC command
> > no-suppress-linenumber Display service linenumber message
> >
> >
> >
> > R1#sh ver
> > Cisco Internetwork Operating System Software
> > IOS (tm) C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.3
> > (5a),
> > RELEASE
> > SOFTWARE (fc1)
> > Copyright (c) 1986-2003 by cisco Systems, Inc.
> > Compiled Tue 25-Nov-03 06:00 by kellythw
> > Image text-base: 0x80008098, data-base: 0x81FFCCD8
> >
> > ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE
> > SOFTWARE
> > (fc1)
> >
> > R1 uptime is 3 days, 5 hours, 36 minutes
> > System returned to ROM by reload
> > System restarted at 02:19:26 UTC Tue Mar 14 2006
> > System image file is "flash:c2600-adventerprisek9-mz.123-5a.bin"
> >
> > [....]
> >
> >
> >
> > TIA,
> >
> > Mushtaq
> >
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> > --
> > Regards,
> >
> >
> > PhiL
> >
>
>
-- Regards,PhiL
This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:39 GMT-3