From: Radoslav Vasilev (deckland@gmail.com)
Date: Wed Aug 16 2006 - 11:18:22 ART
Hi Group,
I'm sorry to revive this discussion, but guys - none of your posts seem to
make any sense to me...
all the access-lists (classes) above are filtering the source addresses for
the telnet connections.
As far as I can get the initial requirement is to make access to lo0 with
privilege of 15. (or access to lo0, 1, 2.. etc)
I think what should be done is to make sure that connectiong comming to
this/these IP address(es) should be isolated to a separate vty.
my suggestion:
line vty 15
rotary 1
privilige level 15
this will make sure that if someone connects to port 7000 + rotary group
(7001 in our case), this will go always to vty 15
I'm suggesting this as it's shouldn't be allowed for us to configure an
access-class on vty-s that would restrict all the other connection attempts
(not to the loopback address(es))
I have a problem with the access-class though - it seems that ios doesn't
see the destination ip address for the incoming telnet packets:
Mar 2 20:54:51.644: %SEC-6-IPACCESSLOGP: list RADO1 permitted tcp
155.1.46.6(21286) -> 0.0.0.0(7001), 1 packet
*Mar 2 20:55:04.276: %SEC-6-IPACCESSLOGP: list RADO1 permitted tcp
155.1.46.6(58166) -> 0.0.0.0(7001), 1 packet
the access-list that logs is:
Extended IP access list RADO1
10 permit tcp any host 150.1.4.4 eq 7001
20 permit tcp any any log (2 matches)
As i couldn't find a way to limit access to this port (7001) from an
access-class, i would use interface access-list for the physical
interfaces..
Any other ideas that could help my solution or reject it, aprreciated ;)
Rado
On 8/12/06, Aaron Pilcher <apilcher@itgcs.com> wrote:
>
> Ip access list standard VTY permit %lo0%
>
> Line vty 0 4
> Access-class VTY in
> Privilege level 15
> Transport input telnet
> login
>
>
> Or
>
> Ip access-list extended VTP permit any host %lo0% eq 23
>
> Line vty 0 4
> Access-class VTY in
> Privilege level 15
> login
>
> I think the key word of the question is to give level 15 access, the other
> commands are just for completeness, and generally accomplish the same
> goal.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> secondie
> Sent: Friday, August 11, 2006 5:18 PM
> To: Victor Cappuccio
> Cc: 'ZeroFlash'; 'Patricia Loreal'; 'Cisco certification'
> Subject: Re: Telnet to loopback only
>
> For the sake of seeing why extended ACL would not work, I placed a "deny
> any any log" on access class and I noticed following in the debug:
>
> Mar 1 00:30:32.391: %SEC-6-IPACCESSLOGP: list vty-in denied tcp
> 192.168.1.32(2228) -> 0.0.0.0(23), 1 packet
>
> why is the destination changed from 1.1.1.1 "0.0.0.0"
>
>
> Another question: Seems like access-class out does not work at all. I
> tried placing deny any any, but it had no affect
>
> Any ideas ??
>
>
> **** Config as below:
>
> ip telnet source-interface Loopback0
>
> interface Loopback0
> ip address 1.1.1.1 255.255.255.255
> !
> interface FastEthernet0/0
> ip address 192.168.1.101 255.255.255.0
> duplex auto
> speed auto
> !
> ip access-list extended vty-in
> permit tcp any host 1.1.1.1 eq telnet log
> deny ip any any log
> !
> line vty 0 4
> access-class vty-in in
> password a
> login
>
> end
>
> -secondie
>
>
> Victor Cappuccio wrote:
> > Hi Guys,
> >
> > http://www.groupstudy.com/archives/ccielab/200604/msg01295.html
> >
> > Zero, that does not seems to be working
> >
> > -----Mensaje original-----
> > De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de
> > ZeroFlash
> > Enviado el: Viernes, 11 de Agosto de 2006 04:13 p.m.
> > Para: 'Patricia Loreal'; Cisco certification
> > Asunto: RE: Telnet to loopback only
> >
> > I would actually use an extended ACL stating something like this:
> >
> > Access-list 100 permit tcp any host 150.1.1.1 eq 23
> > Access-list 100 permit tcp any host 150.1.2.2 eq 23
> > Access-list 100 permit tcp any host 150.1.3.3 eq 23
> >
> > line vty 0 4
> > access-class 100 in
> >
> > ZeroFlash
> > CCIE #16217
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Patricia Loreal
> > Sent: Friday, August 11, 2006 4:03 PM
> > To: Cisco certification
> > Subject: Telnet to loopback only
> >
> > Dear Team!
> >
> > Task says: "make telnet to loopback0 access with privilege 15", Easy
> enough
> > but IMO there is a catch here The Loopbacks assigned to routers are:
> >
> > 150.1.1.1/32
> > 150.1.2.2/32
> > 150.1.3.3/32
> >
> > Should I permit all loopback address range at line vty in using a
> standard
> > access-list?
> >
> > access-list 1 permit 150.1.1.1
> > access-list 1 permit 150.1.2.2
> > access-list 1 permit 150.1.3.3
> >
> > line vty 0 4
> > access-class 1 in
> >
> > Opinions about this is highly appreciated
> >
> > Thanks
> > Patricia
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:57 ART