Re: Lock&key

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Tue Mar 13 2007 - 00:08:58 ART

• Next message: dampened: "ip multicast boundary"
• Previous message: Narbik Kocharians: "Re: RE: Lock&key"
• Maybe in reply to: achievewoo@gmail.com: "Lock&key"
• Next in thread: Narbik Kocharians: "Re: Lock&key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Don't forget TCP ports 7000 + the rotary group number. Also you can use NAT
as a solution (see below):

Router#sho run | include Loop|ip add|nat
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
 ip nat outside
ip nat inside source static tcp 1.1.1.1 23 1.1.1.1 9001 extendable
Router#telnet 1.1.1.1 9001
Trying 1.1.1.1, 9001 ... Open

User Access Verification

Password:
Router>

-- 
Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
bdennis@internetworkexpert.com
 
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
On 3/12/07 7:17 PM, "Narbik Kocharians" <narbikk@gmail.com> wrote:
> You can actually configure the "rotary" command under the vty ports followed
> by a number, let's say 1, the range is (1-127). This will allow the
> administrator to telnet in using port 3001 (3000 + the configured number).
> Remember that you also need to allow Telnet for that port in the
> access-list, in this case 3001.
> 
> access-list 100 permit tcp any any eq 3001
> 
> Line vty 0 ?
> rotary 1
> exit
> 
> 
> 
> On 3/12/07, ian <iyux2000@gmail.com> wrote:
>> 
>> Victor Cappuccio,How are you#!
>> 
>>        From my experience, when the first authentication is verified, (e.g.
>> you configure lock and key on R1).
>> Then you can not telnet to R1. Is that truth? Is there some ways to telnet
>> to R1 as well after the first authenticaiton?
>> 
>> ======= 2007-03-11 11:50:11 What you've mentioned in your letter#:=======
>> 
>>> Hi,
>>> 
>>> "clear access-template" is the command you are looking for?
>>> 
>>> Welcome to Network Learning Inc RS/Security/SP Rack#7
>>> For more information, please visit:
>>> http://www.ccbootcamp.com/racks/rs-sec-sp-rack-access-faq.pdf
>>> PLEASE ERASE YOUR CONFIGS AFTER YOU ARE FINISHED!
>>> 
>>> User Access Verification
>>> 
>>> Username: victor
>>> Password:
>>> 
>>> rack7>show user
>>>    Line       User       Host(s)              Idle       Location
>>> * 66 vty 0     victor     idle                 00:00:00 66.239.105.148
>>> 
>>>  Interface      User        Mode                     Idle     Peer
>> Address
>>> 
>>> rack7>R2
>>> Trying r2 (1.1.1.1, 2034)... Open
>>> 
>>> R2(config)#ip access-list extended 100
>>> R2(config-ext-nacl)#permit tcp any any eq telnet
>>> R2(config-ext-nacl)# permit ospf any any
>>> R2(config-ext-nacl)# dynamic LOCK_KEY permit icmp any any echo
>>> R2(config-ext-nacl)# deny   ip any any
>>> R2(config-ext-nacl)#int f0/0
>>> R2(config-if)#ip access-gr 100 in
>>> 
>>> !Now from R1 lets try this..
>>> 
>>> rack7>1
>>> [Resuming connection 1 to R1 ... ]
>>> 
>>> R1#
>>> R1#
>>> R1#
>>> R1#ping 2.2.2.2
>>> 
>>> Type escape sequence to abort.
>>> Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
>>> U.U..
>>> Success rate is 0 percent (0/5)
>>> R1#
>>> This is because the ACL is denying that traffic
>>> 
>>> ! R1#telnet 2.2.2.2
>>> Trying 2.2.2.2 ... Open
>>> 
>>> 
>>> User Access Verification
>>> 
>>> Username: ccbootcamp
>>> Password:
>>> R2>access-enable timeout 5
>>> R2>exit
>>> 
>>> [Connection to 2.2.2.2 closed by foreign host]
>>> R1#ping 2.2.2.2
>>> 
>>> Type escape sequence to abort.
>>> Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
>>> !!!!!
>>> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
>>> R1#
>>> 
>>> !lets see how it is now on R2
>>> 
>>> R2#show ip access-list
>>> Extended IP access list 100
>>>    10 permit tcp any any eq telnet (132 matches)
>>>    20 permit ospf any any (16 matches)
>>>    30 Dynamic LOCK_KEY permit icmp any any echo
>>>       permit icmp any any echo (15 matches) (time left 255)
>>>    40 deny ip any any (749 matches)
>>> R2#
>>> 
>>> R2#show ip access-list
>>> Extended IP access list 100
>>>    10 permit tcp any any eq telnet (132 matches)
>>>    20 permit ospf any any (16 matches)
>>>    30 Dynamic LOCK_KEY permit icmp any any echo
>>>       permit icmp any any echo (15 matches) (time left 255)
>>>    40 deny ip any any (749 matches)
>>> R2#clear access-template 100 LOCK_KEY any any
>>> R2#show ip access-list
>>> Extended IP access list 100
>>>    10 permit tcp any any eq telnet (132 matches)
>>>    20 permit ospf any any (19 matches)
>>>    30 Dynamic LOCK_KEY permit icmp any any echo
>>>    40 deny ip any any (867 matches)
>>> R2#
>>> rack7>1
>>> [Resuming connection 1 to R1 ... ]
>>> 
>>> R1#
>>> R1#ping 2.2.2.2
>>> 
>>> Type escape sequence to abort.
>>> Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
>>> .U.U.
>>> Success rate is 0 percent (0/5)
>>> R1#
>>> 
>>> thanks,
>>> Victor Cappuccio.-
>>> Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
>>> Cisco Learning credits!
>>> victor@ccbootcamp.com
>>> http://www.ccbootcamp.com (Cisco Training and Rental Racks)
>>> http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
>>> Voice: 702-968-5100
>>> FAX: 702-446-8012
>>> 
>>> 
>>> 
>>> 
>>> -----Original Message-----
>>> From: nobody@groupstudy.com on behalf of achievewoo@gmail.com
>>> Sent: Sat 3/10/2007 15:46
>>> To: ccielab@groupstudy.com
>>> Subject: Lock&key
>>> 
>>> Hi,GS
>>>  Here is lock&key question: R1 should go throught and be authenticated
>> by R2
>>> with username (ccie) and password (cisco), then R1 can telnet to other
>>> routers.
>>>  I used dynamic access-list in lock&key. So, R1 can telnet to other
>> routers
>>> successfully.
>>>  However, I found R1 can not login R2 anymore with the same username and
>>> password.
>>>  The output is as follows:
>>> % List#DYNAMIC-DYC already contains this IP address pair
>>> [Connection to 100.100.100.2 closed by foreign host]
>>> 
>>>   Except creating another username and password to allow R1 telnet and
>> login
>>> R2, is there other method to reach the target?
>>> 
>>>  thanks!
>>> 
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>> 
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>> 
>> = = = = = = = = = = = = = = = = = = = =
>> 
>> 
>> !!!!!!!!!!!!!!!!Have a nice day.
>> 
>> 
>> !!!!!!!!!!!!!!!!ian
>> !!!!!!!!!!!!!!!!iyux2000@gmail.com
>> !!!!!!!!!!!!!!!!!!!!2007-03-13
>> 
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

• Next message: dampened: "ip multicast boundary"
• Previous message: Narbik Kocharians: "Re: RE: Lock&key"
• Maybe in reply to: achievewoo@gmail.com: "Lock&key"
• Next in thread: Narbik Kocharians: "Re: Lock&key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:51 ART