Re: Limitation in Lock-and-Key Configuration in IOS 12.3??

From: PhiL (theccie@gmail.com)
Date: Sat Mar 18 2006 - 23:15:36 GMT-3

• Next message: Pete Kowalsky: "Re: SIP client"
• Previous message: PhiL: "Re: Limitation in Lock-and-Key Configuration in IOS 12.3??"
• Maybe in reply to: Mushtaq A. Khan: "Limitation in Lock-and-Key Configuration in IOS 12.3??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Two more things, if you do not use the "host" keyword in the autocommand
access-host you open up the ACL for the whole subnet and to clear a
dynamic entry in the ACL use the command "clear access-template 150 lockkey
host 172.16.1.110 any"

On 3/18/06, PhiL <theccie@gmail.com> wrote:
>
> Mushtaq,
>
> Once you configure Lock-and-Key, telnet to the router will always be used
> to "unlock" the ACL, everytime you telnet to the router it will try to open
> the ACL and you will get the message "% List#LOCK_KEY-MYACL already
contains
> this IP address pair" after the first time because the ACL has already been
> configured. Lock-and-Key is used to control traffic through the router and
> not to the router. You will need to get creative to allow traffic to the
> router. Dave's solution is very good but you will need to have one username
> to open the ACL to allow traffic through the router and another username
> to allow telnet to the router. My solution uses the same username for both
> but with different TCP ports for each, regular telnet (port 23) opens the
> ACL and port 3001 is used to telnet to the router. Here is my complete
> configuration:
>
> aaa new-model
> aaa authentication login default local
> aaa authentication login NONEED none
> aaa authorization exec default if-authenticated
> enable secret cisco
> !
> username phil password cisco
> ip domain-name ccielab.com
> ip host S1 2008 1.1.1.1
> ip host R7 2007 1.1.1.1
> ip host R1 2001 1.1.1.1
> ip host R6 2006 1.1.1.1
> ip host R5 2005 1.1.1.1
> ip host R4 2004 1.1.1.1
> ip host R3 2003 1.1.1.1
> ip host R2 2002 1.1.1.1
> !
> interface Loopback1
> ip address 1.1.1.1 255.255.255.255
> !
> interface Ethernet0
> ip address 172.16.1.11 255.255.255.0
> ip access-group 150 in
> !
> ip route 0.0.0.0 0.0.0.0 172.16.1.1
> !
> access-list 150 dynamic lockkey timeout 1440 permit ip any any
> access-list 150 deny ip any any log
> !
> line 1 16
> no exec
> exec-timeout 0 0
> login authentication NONEED
> transport input all
> line vty 0 4
> password cisco
>
> logging synchronous
> autocommand access-enable host timeout 1440
> transport input telnet ssh
> line vty 5 100
> password cisco
>
> autocommand access-enable host timeout 1440
> transport input telnet ssh
> line vty 101 150
> password cisco
> transport input telnet ssh
> line vty 151 181
> password cisco
> logging synchronous
> rotary 1
> transport input telnet ssh
> !
> end
>
> I have this configuration in my 2511 to access the devices in my lab.
> Dave's solution is more elegant for a production environment where you
would
> probably have TACACS+ enabled and regular users authentication would
> activate lock-and-key while network management would telnet right into the
> box bypassing the lock-and-key. I am reposting Dave's config to keep it all
> in the same post:
>
> hostname R2
> !
> username lock password 0 cisco
> username lock autocommand access-enable timeout 60
> username telnet password 0 cisco
> ip subnet-zero
> !
> interface Loopback0
> ip address 2.2.2.2 255.255.255.255
> !
> interface Serial0
> ip address 192.168.1.2 255.255.255.0
> ip access-group LOCK in
> encapsulation frame-relay
> ip ospf priority 0
> frame-relay map ip 192.168.1.1 201 broadcast
> frame-relay map ip 192.168.1.2 201
> frame-relay map ip 192.168.1.3 201
> frame-relay map ip 192.168.1.4 201
> no frame-relay inverse-arp
> frame-relay lmi-type ansi
> !
> interface Serial1
> ip address 20.2.2.2 255.255.255.0
> encapsulation ppp
> !
> router ospf 1
> log-adjacency-changes
> redistribute eigrp 100 subnets
> network 2.2.2.2 0.0.0.0 area 2
> network 192.168.1.0 0.0.0.255 area 0
> !
> ip access-list extended LOCK
> permit tcp any host 2.2.2.2 eq telnet
> dynamic KEY timeout 60 permit ip any any
>
> permit ospf any any
> !
> line con 0
> line aux 0
>
> line vty 0 4
> login local
> !
> end
>
> On 3/18/06, Mushtaq A. Khan <mak.ccie2b@gmail.com> wrote:
> >
> >
> > Phil,
> >
> > Thanks, I didn't quite get your solution. Could you please look at my
> > config in the attached email thread and provide me a solution.
> >
> > Dave,
> > I was still getting the same message (% List#LOCK_KEY-MYACL already
> > contains this IP address pair) until I used "autocommand-options
nohangup".
> > Did you have to use the autocommand hangup in your lab as well? The other
> > thing I noticed is that I see a new dynamic ACL created but I don't see a
> > match in dynamic ACL. I believe I should see this.
> >
> > The way I am testing this without the "autocommand hangup" is that I
> > first try to open telnet session from the Switch, the first session gets
> > drop which is expected but when I try it second time I get the following
> > message. Am I testing it correctly? I didn't find a reference to use the
> > autocommand hangup command to make this work.
> >
> >
> > % List#LOCK_KEY-MYACL already contains this IP address pair
> >
> >
> > username test password 0 cisco
> >
> > Extended IP access list LOCK_KEY
> > 30 permit tcp 172.16.18.0 0.0.0.255 host 172.16.18.1 eq telnet
> > (3615 matches)
> > 50 Dynamic MYACL permit tcp 172.16.18.0 0.0.0.255 any eq telnet
> > permit tcp host 172.16.18.8 any eq telnet
> > 60 permit ip any any (890 matches)
> >
> >
> > line vty 0 4
> > login local
> > autocommand access-enable host timeout 2
> > autocommand-options nohangup
> >
> > Mushtaq
> >
> > On 3/18/06, PhiL <theccie@gmail.com> wrote:
> > >
> > > Mushtaq,
> > >
> > > Once you configure Lock and Key the default telnet port (23) will be
> > > used to "unlock" telnet. You need to configure "rotary x" under line vty
to
> > > be able to telnet to the box itself:
> > >
> > > line vty 0 4
> > > password unlock
> > > logging synchronous
> > > autocommand access-enable host timeout 1440
> > > transport input telnet ssh
> > > line vty 5 100
> > > password unlock
> > > autocommand access-enable host timeout 1440
> > > transport input telnet ssh
> > > line vty 101 150
> > > password cisco
> > > rotary 1
> > > transport input telnet ssh
> > > line vty 151 181
> > > password cisco
> > > logging synchronous
> > > rotary 1
> > > transport input telnet ssh
> > >
> > > In the example above line vty 0 100 will be used only to unlock the
> > > lock and key, and line vty 101 181 will be used to telnet to the box
itself
> > > on port 3001 (you must issue the command telnet x.x.x.x 3001 from your
> > > PC). You can also reverse it and have the command rotary 1 under line
vty 0
> > > 100 and nothing under line vty 101 181. The rotary can be from 1 to 99
and
> > > the ports will be 3001 to 3099 respectively.
> > >
> > > PhiL
> > >
> > >
> > > On 3/18/06, Schulz, Dave < DSchulz@dpsciences.com> wrote:
> > >
> > > > Mushtaq - this is the correct operation (you don't need to use the
> > > key if already unlocked the door). Now, you should be able to get
through
> > > the router by whatever method you have in your dynamic ACL. Give it a
try
> > > again and maybe post your configs too.
> > >
> > > Dave Schulz
> > > *** Sent from my Blackberry ***
> > >
> > > -----Original Message-----
> > > From: Mushtaq A. Khan < mak.ccie2b@gmail.com>
> > > To: Schulz, Dave < DSchulz@dpsciences.com>
> > > CC: Cisco certification < ccielab@groupstudy.com>
> > > Sent: Fri Mar 17 17:50:53 2006
> > > Subject: Re: Limitation in Lock-and-Key Configuration in IOS 12.3??
> > >
> > >
> > > Dave,
> > >
> > > You are right, The router took the command when I typed in. It is
> > > strange.
> > > Anyway, I have another issue that even though I have both the idle and
> > > absolute timeout configured but when I try to open telnet session from
the
> > > Switch, the first session gets drop which is expected but when I try it
> > > second time I get the following message.
> > >
> > > % List#LOCK_KEY-MYACL already contains this IP address pair
> > >
> > > I tried it couple of time but no luck.
> > > I remember seeing similar issue with someone in the groupstudy posting
> > > but in my case it is not working.
> > >
> > > SW2#172.16.8.1
> > > Trying 172.16.8.1 ... Open
> > >
> > >
> > > User Access Verification
> > >
> > > Username: test
> > > Password:
> > > [Connection to 172.16.8.1 closed by foreign host]
> > > SW2#
> > > Rack01TS#1
> > > [Resuming connection 1 to r1 ... ]
> > >
> > > R1#sh ip access | beg LOCK
> > > Extended IP access list LOCK_KEY
> > > 10 permit tcp 172.16.8.0 0.0.0.255 host 172.16.8.1 eq telnet (81
> > > matches)
> > > 15 permit ip 172.16.8.0 0.0.0.255 any (21 matches)
> > > 20 Dynamic MYACL permit tcp 172.16.8.0 0.0.0.255 < http://0.0.0.255>
any
> > > eq telnet
> > > permit tcp host 172.16.8.8 any eq telnet
> > >
> > > SW2#172.16.8.1
> > > Trying 172.16.8.1 ... Open
> > >
> > >
> > > User Access Verification
> > >
> > > Username: test
> > > Password:
> > > % List#LOCK_KEY-MYACL already contains this IP address pair
> > > [Connection to 172.16.8.1 closed by foreign host]
> > > SW2#
> > > Rack01TS#1
> > > [Resuming connection 1 to r1 ... ]
> > >
> > > R1#sh ip access | beg LOCK
> > > Extended IP access list LOCK_KEY
> > > 10 permit tcp 172.16.8.0 0.0.0.255 host 172.16.8.1 eq telnet (153
> > > matches)
> > > 15 permit ip 172.16.8.0 0.0.0.255 any (27 matches)
> > > 20 Dynamic MYACL permit tcp 172.16.8.0 0.0.0.255 < http://0.0.0.255>
any
> > > eq telnet
> > > permit tcp host 172.16.8.8 any eq telnet
> > >
> > >
> > >
> > > Router Configurations:
> > >
> > >
> > > R1#sh run | inc username
> > > username test password 0 cisco
> > > username test autocommand access-enable host timeout 5
> > >
> > >
> > >
> > > R1#sh ip access | beg LOCK
> > > Extended IP access list LOCK_KEY
> > > 10 permit tcp 172.16.8.0 0.0.0.255 host 172.16.8.1 eq telnet
> > > 15 permit ip 172.16.8.0 0.0.0.255 any (1 match)
> > > 20 Dynamic MYACL permit tcp 172.16.8.0 0.0.0.255 < http://0.0.0.255>
any
> > > eq telnet
> > >
> > > R1#sh run | beg vty
> > > line vty 0 4
> > > login local
> > >
> > > TIA
> > >
> > > Mushtaq
> > >
> > >
> > > On 3/17/06, Schulz, Dave < DSchulz@dpsciences.com> wrote:
> > >
> > > This should work. However, I have noticed that some of the
> > > 12.2
> > > versions do not show the autocommand access-enable timeout when
> > > you do a
> > > ?. But, it is in there. Go ahead and try it. (similar to the
> > > ip pim
> > > autorp listener command)
> > >
> > >
> > > Dave Schulz,
> > > Email: dschulz@dpsciences.com
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On
> > > Behalf Of
> > > Mushtaq A. Khan
> > > Sent: Friday, March 17, 2006 3:27 PM
> > > To: Cisco certification
> > > Subject: Limitation in Lock-and-Key Configuration in IOS 12.3??
> > >
> > >
> > > All,
> > >
> > > I am having trouble setting idle timeout with the *timeout*
> > > keyword in
> > > the *
> > > access-enable* command in the *autocommand* command. Is this an
> > > IOS
> > > limitation? I checked the DOC CD for 12.3 configuration and
> > > sounds like
> > > it
> > > should be supported.
> > >
> > > Am I missing anything here? Can any one shed some light on
> > > this? Is
> > > there a
> > > way I can achieve my goal as mentioned above?
> > >
> > >
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
> > >
> > > fsecu
> > > r_c/ftrafwl/scflock.htm#wp1001063
> > >
> > > R1(config)#username test autocommand ?
> > > LINE Command to be automatically issued after the user logs in
> > >
> > > R1(config-line)#autocommand ?
> > > LINE Appropriate EXEC command
> > > no-suppress-linenumber Display service linenumber message
> > >
> > >
> > >
> > > R1#sh ver
> > > Cisco Internetwork Operating System Software
> > > IOS (tm) C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.3
> > > (5a),
> > > RELEASE
> > > SOFTWARE (fc1)
> > > Copyright (c) 1986-2003 by cisco Systems, Inc.
> > > Compiled Tue 25-Nov-03 06:00 by kellythw
> > > Image text-base: 0x80008098, data-base: 0x81FFCCD8
> > >
> > > ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE
> > > SOFTWARE
> > > (fc1)
> > >
> > > R1 uptime is 3 days, 5 hours, 36 minutes
> > > System returned to ROM by reload
> > > System restarted at 02:19:26 UTC Tue Mar 14 2006
> > > System image file is "flash:c2600-adventerprisek9-mz.123-5a.bin
> > > "
> > >
> > > [....]
> > >
> > >
> > >
> > > TIA,
> > >
> > > Mushtaq
> > >
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > > _______________________________________________________________________
> > >
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > > --
> > > Regards,
> > >
> > >
> > > PhiL
> > >
> >
> >
>
>
> --
> Regards,
>
>
> PhiL
>

--
Regards,
PhiL

• Next message: Pete Kowalsky: "Re: SIP client"
• Previous message: PhiL: "Re: Limitation in Lock-and-Key Configuration in IOS 12.3??"
• Maybe in reply to: Mushtaq A. Khan: "Limitation in Lock-and-Key Configuration in IOS 12.3??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:39 GMT-3