RE: Telnet to loopback only
From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Wed Aug 16 2006 - 11:41:45 ART
Rado,
The Discussion here is about the destination of the ACL applied to the Line
VTY is not checked
As you see in your on log
Mar 2 20:54:51.644: %SEC-6-IPACCESSLOGP: list RADO1 permitted tcp
155.1.46.6 (21286) -> 0.0.0.0(7001), 1 packet
Mar 2 20:55:04.276: %SEC-6-IPACCESSLOGP: list RADO1 permitted tcp
155.1.46.6(58166) -> 0.0.0.0(7001), 1 packet
The Destination port is changed because the rotary applied in your Live vty
config, but the thing here is the 0.0.0.0 IP destination Address.
Now from my understanding, the loopback of that Router could have
Int lo0
Ip add 150.1.1.1 255.255.255.255
Ip add 150.1.2.2 255.255.255.255 sec
Ip add 150.1.3.3 255.255.255.255 sec
�.
Or it just could have
Ip add 150.1.1.1 255.255.255.255
So in this particular scenario, how can we force the IOS to allow the ACL
work for particular Destination IP Address, without talking in consideration
the ANY keyword at the destination of the ACL applied to the line vty 0 ->
(0--.X)?
Hope now all other post has sense now.
Regards
Victor.-
_____
De: Radoslav Vasilev [mailto:deckland@gmail.com]
Enviado el: Miircoles, 16 de Agosto de 2006 10:18 a.m.
Para: Aaron Pilcher
CC: Patricia Loreal; ZeroFlash; Cisco certification; secondie; Victor
Cappuccio
Asunto: Re: Telnet to loopback only
Hi Group,
I'm sorry to revive this discussion, but guys - none of your posts seem to
make any sense to me...
all the access-lists (classes) above are filtering the source addresses for
the telnet connections.
As far as I can get the initial requirement is to make access to lo0 with
privilege of 15. (or access to lo0, 1, 2.. etc)
I think what should be done is to make sure that connectiong comming to
this/these IP address(es) should be isolated to a separate vty.
my suggestion:
line vty 15
rotary 1
privilige level 15
this will make sure that if someone connects to port 7000 + rotary group
(7001 in our case), this will go always to vty 15
I'm suggesting this as it's shouldn't be allowed for us to configure an
access-class on vty-s that would restrict all the other connection attempts
(not to the loopback address(es))
I have a problem with the access-class though - it seems that ios doesn't
see the destination ip address for the incoming telnet packets:
Mar 2 20:54:51.644: %SEC-6-IPACCESSLOGP: list RADO1 permitted tcp
155.1.46.6 (21286) -> 0.0.0.0(7001), 1 packet
*Mar 2 20:55:04.276: %SEC-6-IPACCESSLOGP: list RADO1 permitted tcp
155.1.46.6(58166) -> 0.0.0.0(7001), 1 packet
the access-list that logs is:
Extended IP access list RADO1
10 permit tcp any host 150.1.4.4 eq 7001
20 permit tcp any any log (2 matches)
As i couldn't find a way to limit access to this port (7001) from an
access-class, i would use interface access-list for the physical
interfaces..
Any other ideas that could help my solution or reject it, aprreciated ;)
Rado
On 8/12/06, Aaron Pilcher < apilcher@itgcs.com <mailto:apilcher@itgcs.com> >
wrote:
Ip access list standard VTY permit %lo0%
Line vty 0 4
Access-class VTY in
Privilege level 15
Transport input telnet
login
Or
Ip access-list extended VTP permit any host %lo0% eq 23
Line vty 0 4
Access-class VTY in
Privilege level 15
login
I think the key word of the question is to give level 15 access, the other
commands are just for completeness, and generally accomplish the same goal.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
secondie
Sent: Friday, August 11, 2006 5:18 PM
To: Victor Cappuccio
Cc: 'ZeroFlash'; 'Patricia Loreal'; 'Cisco certification'
Subject: Re: Telnet to loopback only
For the sake of seeing why extended ACL would not work, I placed a "deny
any any log" on access class and I noticed following in the debug:
Mar 1 00:30: 32.391: %SEC-6-IPACCESSLOGP: list vty-in denied tcp
192.168.1.32(2228) -> 0.0.0.0(23), 1 packet
why is the destination changed from 1.1.1.1 "0.0.0.0 "
Another question: Seems like access-class out does not work at all. I
tried placing deny any any, but it had no affect
Any ideas ??
**** Config as below:
ip telnet source-interface Loopback0
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.1.101 <http://192.168.1.101> 255.255.255.0
duplex auto
speed auto
!
ip access-list extended vty-in
permit tcp any host 1.1.1.1 eq telnet log
deny ip any any log
!
line vty 0 4
access-class vty-in in
password a
login
end
-secondie
Victor Cappuccio wrote:
> Hi Guys,
>
> http://www.groupstudy.com/archives/ccielab/200604/msg01295.html
>
> Zero, that does not seems to be working
>
> -----Mensaje original-----
> De: nobody@groupstudy.com <mailto:nobody@groupstudy.com>
[mailto:nobody@groupstudy.com] En nombre de
> ZeroFlash
> Enviado el: Viernes, 11 de Agosto de 2006 04:13 p.m.
> Para: 'Patricia Loreal'; Cisco certification
> Asunto: RE: Telnet to loopback only
>
> I would actually use an extended ACL stating something like this:
>
> Access-list 100 permit tcp any host 150.1.1.1 eq 23
> Access-list 100 permit tcp any host 150.1.2.2 eq 23
> Access-list 100 permit tcp any host 150.1.3.3 eq 23
>
> line vty 0 4
> access-class 100 in
>
> ZeroFlash
> CCIE #16217
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com
<mailto:nobody@groupstudy.com> ] On Behalf Of
> Patricia Loreal
> Sent: Friday, August 11, 2006 4:03 PM
> To: Cisco certification
> Subject: Telnet to loopback only
>
> Dear Team!
>
> Task says: "make telnet to loopback0 access with privilege 15", Easy
enough
> but IMO there is a catch here The Loopbacks assigned to routers are:
>
> 150.1.1.1/32
> 150.1.2.2/32
> 150.1.3.3/32
>
> Should I permit all loopback address range at line vty in using a standard
> access-list?
>
> access-list 1 permit 150.1.1.1
> access-list 1 permit 150.1.2.2
> access-list 1 permit 150.1.3.3
>
> line vty 0 4
> access-class 1 in
>
> Opinions about this is highly appreciated
>
> Thanks
> Patricia
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4
: Fri Sep 01 2006 - 15:41:57 ART