From: Shamin (ccie.xpert@gmail.com)
Date: Fri Jan 19 2007 - 20:28:48 ART
I understand that bit.
But if I am not telnetting host 164.1.7.100 at port 3389 as mentioned in
the access-list. Instead, I telnet 164.1.47.7 at port 23 using the Username
RDP and the password,Then I will not match the deny statement. Will I? I
should match the Permit ip any any statement.
This is where I am stuck
Regards
On 1/20/07, Faryar Zabihi (fzabihi) <fzabihi@cisco.com> wrote:
>
>
> The task has to do with open access RDP. Not if you can get across the
> interface. If you cant authenticate you will NOT hit the permit on port
> 3389(its dynamic) but you WILL hit the deny RDP statement. Net result...if
> you dont authenticate, you can not hit the dynamic permit of RDP. So no RDP
> to sevrer. Which the task states.
>
> ------------------------------
> *From:* Shamin [mailto:ccie.xpert@gmail.com]
> *Sent:* Friday, January 19, 2007 5:01 PM
> *To:* Brian McGahan
> *Cc:* Faryar Zabihi (fzabihi); Cisco certification
> *Subject:* Re: IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)
>
>
> Thanks Brian and Zabihi,
>
> But in the access-list configured, there is a permit ip any any statement
> at the end,
> So for example, If I telnet from R4 to 164.1.47.7 on sw1 using the normal
> 23 port and I enter the correct username and password of RDP & CISCO , I
> should match the statement "permit ip any any" and should be let through. As
> the dynamic statement and the static deny statements only refer to telnet to
> host 167.1.7.100 at port 3389. As I will authenticate and as i dont match
> the dynamic and the static deny statment, I should be let in through the "
> permit ip any any statement.
>
> Is my understanding correct or some misunderstanding of the basics.
>
> Please help me understand this.
>
> regards
> Shamin
>
>
>
> On 1/20/07, Brian McGahan <bmcgahan@internetworkexpert.com> wrote:
> >
> > With the "autocommand access-enable" command under the VTY line
> > the router will interpret all telnet traffic as an attempt to open up
> > the dynamic ACL. If you use the "autocommand access-enable" at the
> > username level you can telnet to the router for management or for the
> > dynamic ACL. You can also use the "rotary" command under the VTY line
> > (or NAT if you want to get fancy) to change what port the router is
> > listening for management telnet traffic at.
> >
> > HTH,
> >
> > Brian McGahan, CCIE #8593 (R&S/SP)
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com <http://www.internetworkexpert.com/>
> > Toll Free: 877-224-8987 x 705
> > Outside US: 775-826-4344 x 705
> > 24/7 Support: http://forum.internetworkexpert.com
> > Live Chat: http://www.internetworkexpert.com/chat/
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Faryar Zabihi (fzabihi)
> > Sent: Friday, January 19, 2007 10:06 AM
> > To: Shamin; Cisco certification
> > Subject: RE: IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)
> >
> > The requirement has to do with RDP(tcp port 3389) The task wants user
> > to authenticate before they can RDP to server. The dynamic entry is
> > tied to the authenticated user only. So I think the requirement is
> > fulfilled. It never says you need to stop IP traffic just authenticate
> > before allowing RDP
> > My 2 cents
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Shamin
> > Sent: Friday, January 19, 2007 11:06 AM
> > To: Cisco certification
> > Subject: IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)
> >
> > Dear Friends,
> >
> > The scenario is as below.
> >
> > R4 (e0/0)<-------------->(FA0/4) SW1( VLAN7)----->164.1.7.0/24
> > 164.1.47.0
> >
> >
> > Q) Configure your network so that your administrator must authenticate
> > to
> > Sw1 using the username RDP and the password CISCO prior to using the
> > remote desktop connection on a windows swrver on vlan 7
> > - Once he has authenticated to sw1 he alone should be able to acces
> > the server in this manner.
> > - The windows server's IP address is 164.1.7.100
> > - Remote desktop connection is listening at the default TCP port of
> > 3389
> > - To avoid a hikacking of the users active session , ensure that they
> > must
> > re- authenticate to sw1 every 10 minutes.
> >
> > A)
> >
> > SW1#
> >
> > username RDP password CISCO
> >
> > interface Vlan7
> > ip address 164.1.7.7 255.255.255.0
> >
> >
> > interface FastEthernet0/4
> > no switchport
> > ip address 164.1.47.7 255.255.255.0
> > ip access-group SECURITY in
> >
> > ip access-list extended SECURITY
> > dynamic REMOTE->DESK permit tcp any host 164.1.7.100 eq 3389
> > deny tcp any host 164.1.7.100 eq 3389
> > permit ip any any
> >
> >
> > line vty 0 4
> > password cisco
> > login local
> > autocommand access-enable host timeout 10
> >
> > ------------------------------------------------------------------------
> > -------
> >
> > Now the question I have is , will this access-list "SECURITY" i have
> > configured on SW1, deny telnet access from R4 to Sw1 , If R4 tries to
> > telnet SW1 on 164.1.47.7 port 23 .
> >
> > As per the solution guide , it says that after the above config, other
> > Network admins can no longer telnet to sw1 to manage it remotely.
> >
> > I am a bit confused here, as the access-list is only blocking access to
> > the particular IP on the particular port and permiting ip any any.
> > So this should not block other telnet sessions to sw1.
> >
> > I am not sure if i am missing anything here. Please advice
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART