Re: RE: Lock&key

From: ian (iyux2000@gmail.com)
Date: Mon Mar 12 2007 - 21:06:22 ART

• Next message: Huang Laurence: "Re: Smurf Attack"
• Previous message: Sanitra Angram: "Lab Date Exchange"
• Maybe in reply to: Riapolov, Bradley: "RE: Lock&key"
• Next in thread: Narbik Kocharians: "Re: RE: Lock&key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Victor Cappuccio,How are you#!

        From my experience, when the first authentication is verified, (e.g. you configure lock and key on R1).
Then you can not telnet to R1. Is that truth? Is there some ways to telnet to R1 as well after the first authenticaiton?

======= 2007-03-11 11:50:11 What you've mentioned in your letter#:=======

>Hi,
>
>"clear access-template" is the command you are looking for?
>
>Welcome to Network Learning Inc RS/Security/SP Rack#7
>For more information, please visit:
>http://www.ccbootcamp.com/racks/rs-sec-sp-rack-access-faq.pdf
>PLEASE ERASE YOUR CONFIGS AFTER YOU ARE FINISHED!
>
>User Access Verification
>
>Username: victor
>Password:
>
>rack7>show user
> Line User Host(s) Idle Location
>* 66 vty 0 victor idle 00:00:00 66.239.105.148
>
> Interface User Mode Idle Peer Address
>
>rack7>R2
>Trying r2 (1.1.1.1, 2034)... Open
>
>R2(config)#ip access-list extended 100
>R2(config-ext-nacl)#permit tcp any any eq telnet
>R2(config-ext-nacl)# permit ospf any any
>R2(config-ext-nacl)# dynamic LOCK_KEY permit icmp any any echo
>R2(config-ext-nacl)# deny ip any any
>R2(config-ext-nacl)#int f0/0
>R2(config-if)#ip access-gr 100 in
>
>!Now from R1 lets try this..
>
>rack7>1
>[Resuming connection 1 to R1 ... ]
>
>R1#
>R1#
>R1#
>R1#ping 2.2.2.2
>
>Type escape sequence to abort.
>Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
>U.U..
>Success rate is 0 percent (0/5)
>R1#
>This is because the ACL is denying that traffic
>
>! R1#telnet 2.2.2.2
>Trying 2.2.2.2 ... Open
>
>
>User Access Verification
>
>Username: ccbootcamp
>Password:
>R2>access-enable timeout 5
>R2>exit
>
>[Connection to 2.2.2.2 closed by foreign host]
>R1#ping 2.2.2.2
>
>Type escape sequence to abort.
>Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
>!!!!!
>Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
>R1#
>
>!lets see how it is now on R2
>
>R2#show ip access-list
>Extended IP access list 100
> 10 permit tcp any any eq telnet (132 matches)
> 20 permit ospf any any (16 matches)
> 30 Dynamic LOCK_KEY permit icmp any any echo
> permit icmp any any echo (15 matches) (time left 255)
> 40 deny ip any any (749 matches)
>R2#
>
>R2#show ip access-list
>Extended IP access list 100
> 10 permit tcp any any eq telnet (132 matches)
> 20 permit ospf any any (16 matches)
> 30 Dynamic LOCK_KEY permit icmp any any echo
> permit icmp any any echo (15 matches) (time left 255)
> 40 deny ip any any (749 matches)
>R2#clear access-template 100 LOCK_KEY any any
>R2#show ip access-list
>Extended IP access list 100
> 10 permit tcp any any eq telnet (132 matches)
> 20 permit ospf any any (19 matches)
> 30 Dynamic LOCK_KEY permit icmp any any echo
> 40 deny ip any any (867 matches)
>R2#
>rack7>1
>[Resuming connection 1 to R1 ... ]
>
>R1#
>R1#ping 2.2.2.2
>
>Type escape sequence to abort.
>Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
>.U.U.
>Success rate is 0 percent (0/5)
>R1#
>
>thanks,
>Victor Cappuccio.-
>Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
>Cisco Learning credits!
>victor@ccbootcamp.com
>http://www.ccbootcamp.com (Cisco Training and Rental Racks)
>http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
>Voice: 702-968-5100
>FAX: 702-446-8012
>
>
>
>
>-----Original Message-----
>From: nobody@groupstudy.com on behalf of achievewoo@gmail.com
>Sent: Sat 3/10/2007 15:46
>To: ccielab@groupstudy.com
>Subject: Lock&key
>
>Hi,GS
> Here is lock&key question: R1 should go throught and be authenticated by R2
>with username (ccie) and password (cisco), then R1 can telnet to other
>routers.
> I used dynamic access-list in lock&key. So, R1 can telnet to other routers
>successfully.
> However, I found R1 can not login R2 anymore with the same username and
>password.
> The output is as follows:
> % List#DYNAMIC-DYC already contains this IP address pair
>[Connection to 100.100.100.2 closed by foreign host]
>
> Except creating another username and password to allow R1 telnet and login
>R2, is there other method to reach the target?
>
> thanks!
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

= = = = = = = = = = = = = = = = = = = =
                        

!!!!!!!!!!!!!!!!Have a nice day.
 
                                 
!!!!!!!!!!!!!!!!ian
!!!!!!!!!!!!!!!!iyux2000@gmail.com
!!!!!!!!!!!!!!!!!!!!2007-03-13

• Next message: Huang Laurence: "Re: Smurf Attack"
• Previous message: Sanitra Angram: "Lab Date Exchange"
• Maybe in reply to: Riapolov, Bradley: "RE: Lock&key"
• Next in thread: Narbik Kocharians: "Re: RE: Lock&key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:51 ART