From: Shamin (ccie.xpert@gmail.com)
Date: Fri Jan 19 2007 - 14:05:44 ART
Dear Friends,
The scenario is as below.
R4 (e0/0)<-------------->(FA0/4) SW1( VLAN7)----->164.1.7.0/24
164.1.47.0
Q) Configure your network so that your administrator must authenticate to
Sw1 using the username RDP and the password CISCO prior to using the remote
desktop connection on a windows swrver on vlan 7
- Once he has authenticated to sw1 he alone should be able to acces the
server in this manner.
- The windows server's IP address is 164.1.7.100
- Remote desktop connection is listening at the default TCP port of 3389
- To avoid a hikacking of the users active session , ensure that they must
re- authenticate to sw1 every 10 minutes.
A)
SW1#
username RDP password CISCO
interface Vlan7
ip address 164.1.7.7 255.255.255.0
interface FastEthernet0/4
no switchport
ip address 164.1.47.7 255.255.255.0
ip access-group SECURITY in
ip access-list extended SECURITY
dynamic REMOTE->DESK permit tcp any host 164.1.7.100 eq 3389
deny tcp any host 164.1.7.100 eq 3389
permit ip any any
line vty 0 4
password cisco
login local
autocommand access-enable host timeout 10
-------------------------------------------------------------------------------
Now the question I have is , will this access-list "SECURITY" i have
configured on SW1, deny telnet access from R4 to Sw1 , If R4 tries to
telnet SW1 on 164.1.47.7 port 23 .
As per the solution guide , it says that after the above config, other
Network admins can no longer telnet to sw1 to manage it remotely.
I am a bit confused here, as the access-list is only blocking access to the
particular IP on the particular port and permiting ip any any.
So this should not block other telnet sessions to sw1.
I am not sure if i am missing anything here. Please advice
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART