From: Narbik Kocharians (narbikk@gmail.com)
Date: Mon Mar 12 2007 - 23:17:35 ART
You can actually configure the "rotary" command under the vty ports followed
by a number, let's say 1, the range is (1-127). This will allow the
administrator to telnet in using port 3001 (3000 + the configured number).
Remember that you also need to allow Telnet for that port in the
access-list, in this case 3001.
access-list 100 permit tcp any any eq 3001
Line vty 0 ?
rotary 1
exit
On 3/12/07, ian <iyux2000@gmail.com> wrote:
>
> Victor Cappuccio,How are you#!
>
> From my experience, when the first authentication is verified, (e.g.
> you configure lock and key on R1).
> Then you can not telnet to R1. Is that truth? Is there some ways to telnet
> to R1 as well after the first authenticaiton?
>
> ======= 2007-03-11 11:50:11 What you've mentioned in your letter#:=======
>
> >Hi,
> >
> >"clear access-template" is the command you are looking for?
> >
> >Welcome to Network Learning Inc RS/Security/SP Rack#7
> >For more information, please visit:
> >http://www.ccbootcamp.com/racks/rs-sec-sp-rack-access-faq.pdf
> >PLEASE ERASE YOUR CONFIGS AFTER YOU ARE FINISHED!
> >
> >User Access Verification
> >
> >Username: victor
> >Password:
> >
> >rack7>show user
> > Line User Host(s) Idle Location
> >* 66 vty 0 victor idle 00:00:00 66.239.105.148
> >
> > Interface User Mode Idle Peer
> Address
> >
> >rack7>R2
> >Trying r2 (1.1.1.1, 2034)... Open
> >
> >R2(config)#ip access-list extended 100
> >R2(config-ext-nacl)#permit tcp any any eq telnet
> >R2(config-ext-nacl)# permit ospf any any
> >R2(config-ext-nacl)# dynamic LOCK_KEY permit icmp any any echo
> >R2(config-ext-nacl)# deny ip any any
> >R2(config-ext-nacl)#int f0/0
> >R2(config-if)#ip access-gr 100 in
> >
> >!Now from R1 lets try this..
> >
> >rack7>1
> >[Resuming connection 1 to R1 ... ]
> >
> >R1#
> >R1#
> >R1#
> >R1#ping 2.2.2.2
> >
> >Type escape sequence to abort.
> >Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
> >U.U..
> >Success rate is 0 percent (0/5)
> >R1#
> >This is because the ACL is denying that traffic
> >
> >! R1#telnet 2.2.2.2
> >Trying 2.2.2.2 ... Open
> >
> >
> >User Access Verification
> >
> >Username: ccbootcamp
> >Password:
> >R2>access-enable timeout 5
> >R2>exit
> >
> >[Connection to 2.2.2.2 closed by foreign host]
> >R1#ping 2.2.2.2
> >
> >Type escape sequence to abort.
> >Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
> >!!!!!
> >Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
> >R1#
> >
> >!lets see how it is now on R2
> >
> >R2#show ip access-list
> >Extended IP access list 100
> > 10 permit tcp any any eq telnet (132 matches)
> > 20 permit ospf any any (16 matches)
> > 30 Dynamic LOCK_KEY permit icmp any any echo
> > permit icmp any any echo (15 matches) (time left 255)
> > 40 deny ip any any (749 matches)
> >R2#
> >
> >R2#show ip access-list
> >Extended IP access list 100
> > 10 permit tcp any any eq telnet (132 matches)
> > 20 permit ospf any any (16 matches)
> > 30 Dynamic LOCK_KEY permit icmp any any echo
> > permit icmp any any echo (15 matches) (time left 255)
> > 40 deny ip any any (749 matches)
> >R2#clear access-template 100 LOCK_KEY any any
> >R2#show ip access-list
> >Extended IP access list 100
> > 10 permit tcp any any eq telnet (132 matches)
> > 20 permit ospf any any (19 matches)
> > 30 Dynamic LOCK_KEY permit icmp any any echo
> > 40 deny ip any any (867 matches)
> >R2#
> >rack7>1
> >[Resuming connection 1 to R1 ... ]
> >
> >R1#
> >R1#ping 2.2.2.2
> >
> >Type escape sequence to abort.
> >Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
> >.U.U.
> >Success rate is 0 percent (0/5)
> >R1#
> >
> >thanks,
> >Victor Cappuccio.-
> >Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
> >Cisco Learning credits!
> >victor@ccbootcamp.com
> >http://www.ccbootcamp.com (Cisco Training and Rental Racks)
> >http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
> >Voice: 702-968-5100
> >FAX: 702-446-8012
> >
> >
> >
> >
> >-----Original Message-----
> >From: nobody@groupstudy.com on behalf of achievewoo@gmail.com
> >Sent: Sat 3/10/2007 15:46
> >To: ccielab@groupstudy.com
> >Subject: Lock&key
> >
> >Hi,GS
> > Here is lock&key question: R1 should go throught and be authenticated
> by R2
> >with username (ccie) and password (cisco), then R1 can telnet to other
> >routers.
> > I used dynamic access-list in lock&key. So, R1 can telnet to other
> routers
> >successfully.
> > However, I found R1 can not login R2 anymore with the same username and
> >password.
> > The output is as follows:
> > % List#DYNAMIC-DYC already contains this IP address pair
> >[Connection to 100.100.100.2 closed by foreign host]
> >
> > Except creating another username and password to allow R1 telnet and
> login
> >R2, is there other method to reach the target?
> >
> > thanks!
> >
> >_______________________________________________________________________
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
> >
> >_______________________________________________________________________
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
> = = = = = = = = = = = = = = = = = = = =
>
>
> !!!!!!!!!!!!!!!!Have a nice day.
>
>
> !!!!!!!!!!!!!!!!ian
> !!!!!!!!!!!!!!!!iyux2000@gmail.com
> !!!!!!!!!!!!!!!!!!!!2007-03-13
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Narbik Kocharians CCIE# 12410 (R&S, SP, Security) CCSI# 30832 Network Learning, Inc. (CCIE class Instructor) www.ccbootcamp.com (CCIE Training)
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:51 ART