RE: IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)

From: Faryar Zabihi \(fzabihi\) (fzabihi@cisco.com)
Date: Fri Jan 19 2007 - 15:06:18 ART

• Next message: tony hall: "test"
• Previous message: Shamin: "IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)"
• Maybe in reply to: Shamin: "IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)"
• Next in thread: Brian McGahan: "RE: IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The requirement has to do with RDP(tcp port 3389) The task wants user
to authenticate before they can RDP to server. The dynamic entry is
tied to the authenticated user only. So I think the requirement is
fulfilled. It never says you need to stop IP traffic just authenticate
before allowing RDP
My 2 cents

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Shamin
Sent: Friday, January 19, 2007 11:06 AM
To: Cisco certification
Subject: IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)

 Dear Friends,

The scenario is as below.

R4 (e0/0)<-------------->(FA0/4) SW1( VLAN7)----->164.1.7.0/24
               164.1.47.0

Q) Configure your network so that your administrator must authenticate
to
Sw1 using the username RDP and the password CISCO prior to using the
remote desktop connection on a windows swrver on vlan 7
  - Once he has authenticated to sw1 he alone should be able to acces
the server in this manner.
 - The windows server's IP address is 164.1.7.100
 - Remote desktop connection is listening at the default TCP port of
3389
 - To avoid a hikacking of the users active session , ensure that they
must
re- authenticate to sw1 every 10 minutes.

A)

   SW1#

username RDP password CISCO

 interface Vlan7
 ip address 164.1.7.7 255.255.255.0

interface FastEthernet0/4
 no switchport
 ip address 164.1.47.7 255.255.255.0
 ip access-group SECURITY in

ip access-list extended SECURITY
 dynamic REMOTE->DESK permit tcp any host 164.1.7.100 eq 3389
 deny tcp any host 164.1.7.100 eq 3389
 permit ip any any

line vty 0 4
 password cisco
 login local
 autocommand access-enable host timeout 10

------------------------------------------------------------------------
-------

Now the question I have is , will this access-list "SECURITY" i have
configured on SW1, deny telnet access from R4 to Sw1 , If R4 tries to
telnet SW1 on 164.1.47.7 port 23 .

As per the solution guide , it says that after the above config, other
Network admins can no longer telnet to sw1 to manage it remotely.

I am a bit confused here, as the access-list is only blocking access to
the particular IP on the particular port and permiting ip any any.
So this should not block other telnet sessions to sw1.

I am not sure if i am missing anything here. Please advice

• Next message: tony hall: "test"
• Previous message: Shamin: "IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)"
• Maybe in reply to: Shamin: "IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)"
• Next in thread: Brian McGahan: "RE: IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART