RE: IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)

From: Faryar Zabihi \(fzabihi\) (fzabihi@cisco.com)
Date: Fri Jan 19 2007 - 20:22:22 ART

The task has to do with open access RDP. Not if you can get across the
interface. If you cant authenticate you will NOT hit the permit on
port 3389(its dynamic) but you WILL hit the deny RDP statement. Net
result...if you dont authenticate, you can not hit the dynamic permit of
RDP. So no RDP to sevrer. Which the task states.

________________________________

From: Shamin [mailto:ccie.xpert@gmail.com]
Sent: Friday, January 19, 2007 5:01 PM
To: Brian McGahan
Cc: Faryar Zabihi (fzabihi); Cisco certification
Subject: Re: IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)

Thanks Brian and Zabihi,

But in the access-list configured, there is a permit ip any any
statement at the end,
So for example, If I telnet from R4 to 164.1.47.7 on sw1 using the
normal 23 port and I enter the correct username and password of RDP &
CISCO , I should match the statement "permit ip any any" and should be
let through. As the dynamic statement and the static deny statements
only refer to telnet to host 167.1.7.100 at port 3389. As I will
authenticate and as i dont match the dynamic and the static deny
statment, I should be let in through the " permit ip any any statement.

Is my understanding correct or some misunderstanding of the basics.

Please help me understand this.

regards
Shamin

On 1/20/07, Brian McGahan <bmcgahan@internetworkexpert.com> wrote:

               With the "autocommand access-enable" command under the
VTY line
        the router will interpret all telnet traffic as an attempt to
open up
        the dynamic ACL. If you use the "autocommand access-enable" at
the
        username level you can telnet to the router for management or
for the
        dynamic ACL. You can also use the "rotary" command under the
VTY line
        (or NAT if you want to get fancy) to change what port the router
is
        listening for management telnet traffic at.

        HTH,

        Brian McGahan, CCIE #8593 (R&S/SP)
        bmcgahan@internetworkexpert.com

        Internetwork Expert, Inc.
        http://www.InternetworkExpert.com
        Toll Free: 877-224-8987 x 705
        Outside US: 775-826-4344 x 705
        24/7 Support: http://forum.internetworkexpert.com
        Live Chat: http://www.internetworkexpert.com/chat/

        -----Original Message-----
        From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf Of
        Faryar Zabihi (fzabihi)
        Sent: Friday, January 19, 2007 10:06 AM
        To: Shamin; Cisco certification
        Subject: RE: IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)

        The requirement has to do with RDP(tcp port 3389) The task
wants user
        to authenticate before they can RDP to server. The dynamic
entry is
        tied to the authenticated user only. So I think the requirement
is
        fulfilled. It never says you need to stop IP traffic just
authenticate
        before allowing RDP
        My 2 cents

        -----Original Message-----
        From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf Of
        Shamin
        Sent: Friday, January 19, 2007 11:06 AM
        To: Cisco certification
        Subject: IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)

        Dear Friends,

        The scenario is as below.

        R4 (e0/0)<-------------->(FA0/4) SW1( VLAN7)----->164.1.7.0/24
                      164.1.47.0

        Q) Configure your network so that your administrator must
authenticate
        to
        Sw1 using the username RDP and the password CISCO prior to
using the
        remote desktop connection on a windows swrver on vlan 7
        - Once he has authenticated to sw1 he alone should be able to
acces
        the server in this manner.
        - The windows server's IP address is 164.1.7.100
        - Remote desktop connection is listening at the default TCP
port of
        3389
        - To avoid a hikacking of the users active session , ensure
that they
        must
        re- authenticate to sw1 every 10 minutes.

        A)

          SW1#

        username RDP password CISCO

        interface Vlan7
        ip address 164.1.7.7 255.255.255.0

        interface FastEthernet0/4
        no switchport
        ip address 164.1.47.7 255.255.255.0
        ip access-group SECURITY in

        ip access-list extended SECURITY
        dynamic REMOTE->DESK permit tcp any host 164.1.7.100 eq 3389
        deny tcp any host 164.1.7.100 eq 3389
        permit ip any any

        line vty 0 4
        password cisco
        login local
        autocommand access-enable host timeout 10

------------------------------------------------------------------------
        -------

        Now the question I have is , will this access-list "SECURITY" i
have
        configured on SW1, deny telnet access from R4 to Sw1 , If R4
tries to
        telnet SW1 on 164.1.47.7 port 23 .

        As per the solution guide , it says that after the above config,
other
        Network admins can no longer telnet to sw1 to manage it
remotely.

        I am a bit confused here, as the access-list is only blocking
access to
        the particular IP on the particular port and permiting ip any
any.
        So this should not block other telnet sessions to sw1.

        I am not sure if i am missing anything here. Please advice

This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART