From: Faryar Zabihi \(fzabihi\) (fzabihi@cisco.com)
Date: Fri Jan 19 2007 - 20:36:26 ART
you are not telneting on port 3389 it is RDP on 3389
u telnet to .7 on port 23(set default but u can change it) and
authenticate once u do that then u use RDP to get to the server at .100
________________________________
From: Shamin [mailto:ccie.xpert@gmail.com]
Sent: Friday, January 19, 2007 5:29 PM
To: Faryar Zabihi (fzabihi)
Cc: Brian McGahan; Cisco certification
Subject: Re: IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)
I understand that bit.
But if I am not telnetting host 164.1.7.100 <http://164.1.7.100/> at
port 3389 as mentioned in the access-list. Instead, I telnet 164.1.47.7
at port 23 using the Username RDP and the password,Then I will not match
the deny statement. Will I? I should match the Permit ip any any
statement.
This is where I am stuck
Regards
On 1/20/07, Faryar Zabihi (fzabihi) <fzabihi@cisco.com> wrote:
The task has to do with open access RDP. Not if you can get
across the interface. If you cant authenticate you will NOT hit the
permit on port 3389(its dynamic) but you WILL hit the deny RDP
statement. Net result...if you dont authenticate, you can not hit the
dynamic permit of RDP. So no RDP to sevrer. Which the task states.
________________________________
From: Shamin [mailto:ccie.xpert@gmail.com]
Sent: Friday, January 19, 2007 5:01 PM
To: Brian McGahan
Cc: Faryar Zabihi (fzabihi); Cisco certification
Subject: Re: IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)
Thanks Brian and Zabihi,
But in the access-list configured, there is a permit ip any any
statement at the end,
So for example, If I telnet from R4 to 164.1.47.7
<http://164.1.47.7/> on sw1 using the normal 23 port and I enter the
correct username and password of RDP & CISCO , I should match the
statement "permit ip any any" and should be let through. As the dynamic
statement and the static deny statements only refer to telnet to host
167.1.7.100 <http://167.1.7.100/> at port 3389. As I will authenticate
and as i dont match the dynamic and the static deny statment, I should
be let in through the " permit ip any any statement.
Is my understanding correct or some misunderstanding of the
basics.
Please help me understand this.
regards
Shamin
On 1/20/07, Brian McGahan <bmcgahan@internetworkexpert.com >
wrote:
With the "autocommand access-enable" command
under the VTY line
the router will interpret all telnet traffic as an
attempt to open up
the dynamic ACL. If you use the "autocommand
access-enable" at the
username level you can telnet to the router for
management or for the
dynamic ACL. You can also use the "rotary" command
under the VTY line
(or NAT if you want to get fancy) to change what port
the router is
listening for management telnet traffic at.
HTH,
Brian McGahan, CCIE #8593 (R&S/SP)
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
<http://www.internetworkexpert.com/>
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
<http://forum.internetworkexpert.com/>
Live Chat: http://www.internetworkexpert.com/chat/
-----Original Message-----
From: nobody@groupstudy.com [mailto:
nobody@groupstudy.com <mailto:nobody@groupstudy.com> ] On Behalf Of
Faryar Zabihi (fzabihi)
Sent: Friday, January 19, 2007 10:06 AM
To: Shamin; Cisco certification
Subject: RE: IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock &
Key)
The requirement has to do with RDP(tcp port 3389) The
task wants user
to authenticate before they can RDP to server. The
dynamic entry is
tied to the authenticated user only. So I think the
requirement is
fulfilled. It never says you need to stop IP traffic
just authenticate
before allowing RDP
My 2 cents
-----Original Message-----
From: nobody@groupstudy.com [mailto:
nobody@groupstudy.com] On Behalf Of
Shamin
Sent: Friday, January 19, 2007 11:06 AM
To: Cisco certification
Subject: IEWB LAB 10 Ver3.0 VOL 1 - TASK 9 (Lock & Key)
Dear Friends,
The scenario is as below.
R4 (e0/0)<-------------->(FA0/4) SW1( VLAN7)----->
164.1.7.0/24 <http://164.1.7.0/24>
164.1.47.0 <http://164.1.47.0/>
Q) Configure your network so that your administrator
must authenticate
to
Sw1 using the username RDP and the password CISCO prior
to using the
remote desktop connection on a windows swrver on vlan 7
- Once he has authenticated to sw1 he alone should be
able to acces
the server in this manner.
- The windows server's IP address is 164.1.7.100
<http://164.1.7.100/>
- Remote desktop connection is listening at the default
TCP port of
3389
- To avoid a hikacking of the users active session ,
ensure that they
must
re- authenticate to sw1 every 10 minutes.
A)
SW1#
username RDP password CISCO
interface Vlan7
ip address 164.1.7.7 <http://164.1.7.7/> 255.255.255.0
<http://255.255.255.0/>
interface FastEthernet0/4
no switchport
ip address 164.1.47.7 <http://164.1.47.7/>
255.255.255.0 <http://255.255.255.0/>
ip access-group SECURITY in
ip access-list extended SECURITY
dynamic REMOTE->DESK permit tcp any host 164.1.7.100
<http://164.1.7.100/> eq 3389
deny tcp any host 164.1.7.100 <http://164.1.7.100/>
eq 3389
permit ip any any
line vty 0 4
password cisco
login local
autocommand access-enable host timeout 10
------------------------------------------------------------------------
-------
Now the question I have is , will this access-list
"SECURITY" i have
configured on SW1, deny telnet access from R4 to Sw1 ,
If R4 tries to
telnet SW1 on 164.1.47.7 <http://164.1.47.7/> port 23
.
As per the solution guide , it says that after the above
config, other
Network admins can no longer telnet to sw1 to manage it
remotely.
I am a bit confused here, as the access-list is only
blocking access to
the particular IP on the particular port and permiting
ip any any.
So this should not block other telnet sessions to sw1.
I am not sure if i am missing anything here. Please
advice
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART