From: Shamin (ccie.xpert@gmail.com)
Date: Fri Jan 19 2007 - 20:00:45 ART
Thanks Brian and Zabihi,
But in the access-list configured, there is a permit ip any any statement at
the end,
So for example, If I telnet from R4 to 164.1.47.7 on sw1 using the normal 23
port and I enter the correct username and password of RDP & CISCO , I should
match the statement "permit ip any any" and should be let through. As the
dynamic statement and the static deny statements only refer to telnet to
host 167.1.7.100 at port 3389. As I will authenticate and as i dont match
the dynamic and the static deny statment, I should be let in through the "
permit ip any any statement.
Is my understanding correct or some misunderstanding of the basics.
Please help me understand this.
regards
Shamin
On 1/20/07, Brian McGahan <bmcgahan@internetworkexpert.com> wrote:
>
> With the "autocommand access-enable" command under the VTY line
> the router will interpret all telnet traffic as an attempt to open up
> the dynamic ACL. If you use the "autocommand access-enable" at the
> username level you can telnet to the router for management or for the
> dynamic ACL. You can also use the "rotary" command under the VTY line
> (or NAT if you want to get fancy) to change what port the router is
> listening for management telnet traffic at.
>
> HTH,
>
> Brian McGahan, CCIE #8593 (R&S/SP)
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> 24/7 Support: http://forum.internetworkexpert.com
> Live Chat: http://www.internetworkexpert.com/chat/
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Faryar Zabihi (fzabihi)
> Sent: Friday, January 19, 2007 10:06 AM
> To: Shamin; Cisco certification
> Subject: RE: IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)
>
> The requirement has to do with RDP(tcp port 3389) The task wants user
> to authenticate before they can RDP to server. The dynamic entry is
> tied to the authenticated user only. So I think the requirement is
> fulfilled. It never says you need to stop IP traffic just authenticate
> before allowing RDP
> My 2 cents
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Shamin
> Sent: Friday, January 19, 2007 11:06 AM
> To: Cisco certification
> Subject: IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)
>
> Dear Friends,
>
> The scenario is as below.
>
> R4 (e0/0)<-------------->(FA0/4) SW1( VLAN7)----->164.1.7.0/24
> 164.1.47.0
>
>
> Q) Configure your network so that your administrator must authenticate
> to
> Sw1 using the username RDP and the password CISCO prior to using the
> remote desktop connection on a windows swrver on vlan 7
> - Once he has authenticated to sw1 he alone should be able to acces
> the server in this manner.
> - The windows server's IP address is 164.1.7.100
> - Remote desktop connection is listening at the default TCP port of
> 3389
> - To avoid a hikacking of the users active session , ensure that they
> must
> re- authenticate to sw1 every 10 minutes.
>
> A)
>
> SW1#
>
> username RDP password CISCO
>
> interface Vlan7
> ip address 164.1.7.7 255.255.255.0
>
>
> interface FastEthernet0/4
> no switchport
> ip address 164.1.47.7 255.255.255.0
> ip access-group SECURITY in
>
> ip access-list extended SECURITY
> dynamic REMOTE->DESK permit tcp any host 164.1.7.100 eq 3389
> deny tcp any host 164.1.7.100 eq 3389
> permit ip any any
>
>
> line vty 0 4
> password cisco
> login local
> autocommand access-enable host timeout 10
>
> ------------------------------------------------------------------------
> -------
>
> Now the question I have is , will this access-list "SECURITY" i have
> configured on SW1, deny telnet access from R4 to Sw1 , If R4 tries to
> telnet SW1 on 164.1.47.7 port 23 .
>
> As per the solution guide , it says that after the above config, other
> Network admins can no longer telnet to sw1 to manage it remotely.
>
> I am a bit confused here, as the access-list is only blocking access to
> the particular IP on the particular port and permiting ip any any.
> So this should not block other telnet sessions to sw1.
>
> I am not sure if i am missing anything here. Please advice
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART