Re: Lock&key

From: Narbik Kocharians (narbikk@gmail.com)
Date: Tue Mar 13 2007 - 03:31:18 ART

Yes, there are many way to accomplish this task, but what i would recommend
is to choose the easiest method first, i am sure that there are many 007
ways to do the same thing.
Even for the test you should start with the most simple solution first and
then go up or go down to the 007 stuff.

 On 3/12/07, Brian Dennis <bdennis@internetworkexpert.com> wrote:

> Don't forget TCP ports 7000 + the rotary group number. Also you can use
> NAT
> as a solution (see below):
>
> Router#sho run | include Loop|ip add|nat
> interface Loopback0
> ip address 1.1.1.1 255.255.255.255
> ip nat outside
> ip nat inside source static tcp 1.1.1.1 23 1.1.1.1 9001 extendable
> Router#telnet 1.1.1.1 9001
> Trying 1.1.1.1, 9001 ... Open
>
>
> User Access Verification
>
> Password:
> Router>
>
> --
>
> Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
> On 3/12/07 7:17 PM, "Narbik Kocharians" <narbikk@gmail.com> wrote:
>
> > You can actually configure the "rotary" command under the vty ports
> followed
> > by a number, let's say 1, the range is (1-127). This will allow the
> > administrator to telnet in using port 3001 (3000 + the configured
> number).
> > Remember that you also need to allow Telnet for that port in the
> > access-list, in this case 3001.
> >
> > access-list 100 permit tcp any any eq 3001
> >
> > Line vty 0 ?
> > rotary 1
> > exit
> >
> >
> >
> > On 3/12/07, ian <iyux2000@gmail.com> wrote:
> >>
> >> Victor Cappuccio,How are you#!
> >>
> >> From my experience, when the first authentication is verified, (
> e.g.
> >> you configure lock and key on R1).
> >> Then you can not telnet to R1. Is that truth? Is there some ways to
> telnet
> >> to R1 as well after the first authenticaiton?
> >>
> >> ======= 2007-03-11 11:50:11 What you've mentioned in your
> letter#:=======
> >>
> >>> Hi,
> >>>
> >>> "clear access-template" is the command you are looking for?
> >>>
> >>> Welcome to Network Learning Inc RS/Security/SP Rack#7
> >>> For more information, please visit:
> >>> http://www.ccbootcamp.com/racks/rs-sec-sp-rack-access-faq.pdf
> >>> PLEASE ERASE YOUR CONFIGS AFTER YOU ARE FINISHED!
> >>>
> >>> User Access Verification
> >>>
> >>> Username: victor
> >>> Password:
> >>>
> >>> rack7>show user
> >>> Line User Host(s) Idle Location
> >>> * 66 vty 0 victor idle 00:00:00 66.239.105.148
> >>>
> >>> Interface User Mode Idle Peer
> >> Address
> >>>
> >>> rack7>R2
> >>> Trying r2 (1.1.1.1, 2034)... Open
> >>>
> >>> R2(config)#ip access-list extended 100
> >>> R2(config-ext-nacl)#permit tcp any any eq telnet
> >>> R2(config-ext-nacl)# permit ospf any any
> >>> R2(config-ext-nacl)# dynamic LOCK_KEY permit icmp any any echo
> >>> R2(config-ext-nacl)# deny ip any any
> >>> R2(config-ext-nacl)#int f0/0
> >>> R2(config-if)#ip access-gr 100 in
> >>>
> >>> !Now from R1 lets try this..
> >>>
> >>> rack7>1
> >>> [Resuming connection 1 to R1 ... ]
> >>>
> >>> R1#
> >>> R1#
> >>> R1#
> >>> R1#ping 2.2.2.2
> >>>
> >>> Type escape sequence to abort.
> >>> Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
> >>> U.U..
> >>> Success rate is 0 percent (0/5)
> >>> R1#
> >>> This is because the ACL is denying that traffic
> >>>
> >>> ! R1#telnet 2.2.2.2
> >>> Trying 2.2.2.2 ... Open
> >>>
> >>>
> >>> User Access Verification
> >>>
> >>> Username: ccbootcamp
> >>> Password:
> >>> R2>access-enable timeout 5
> >>> R2>exit
> >>>
> >>> [Connection to 2.2.2.2 closed by foreign host]
> >>> R1#ping 2.2.2.2
> >>>
> >>> Type escape sequence to abort.
> >>> Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
> >>> !!!!!
> >>> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
> >>> R1#
> >>>
> >>> !lets see how it is now on R2
> >>>
> >>> R2#show ip access-list
> >>> Extended IP access list 100
> >>> 10 permit tcp any any eq telnet (132 matches)
> >>> 20 permit ospf any any (16 matches)
> >>> 30 Dynamic LOCK_KEY permit icmp any any echo
> >>> permit icmp any any echo (15 matches) (time left 255)
> >>> 40 deny ip any any (749 matches)
> >>> R2#
> >>>
> >>> R2#show ip access-list
> >>> Extended IP access list 100
> >>> 10 permit tcp any any eq telnet (132 matches)
> >>> 20 permit ospf any any (16 matches)
> >>> 30 Dynamic LOCK_KEY permit icmp any any echo
> >>> permit icmp any any echo (15 matches) (time left 255)
> >>> 40 deny ip any any (749 matches)
> >>> R2#clear access-template 100 LOCK_KEY any any
> >>> R2#show ip access-list
> >>> Extended IP access list 100
> >>> 10 permit tcp any any eq telnet (132 matches)
> >>> 20 permit ospf any any (19 matches)
> >>> 30 Dynamic LOCK_KEY permit icmp any any echo
> >>> 40 deny ip any any (867 matches)
> >>> R2#
> >>> rack7>1
> >>> [Resuming connection 1 to R1 ... ]
> >>>
> >>> R1#
> >>> R1#ping 2.2.2.2
> >>>
> >>> Type escape sequence to abort.
> >>> Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
> >>> .U.U.
> >>> Success rate is 0 percent (0/5)
> >>> R1#
> >>>
> >>> thanks,
> >>> Victor Cappuccio.-
> >>> Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We
> take
> >>> Cisco Learning credits!
> >>> victor@ccbootcamp.com
> >>> http://www.ccbootcamp.com (Cisco Training and Rental Racks)
> >>> http://www.ccbootcamp.com/groupstudy.html (groupstudy member
> discounts!)
> >>> Voice: 702-968-5100
> >>> FAX: 702-446-8012
> >>>
> >>>
> >>>
> >>>
> >>> -----Original Message-----
> >>> From: nobody@groupstudy.com on behalf of achievewoo@gmail.com
> >>> Sent: Sat 3/10/2007 15:46
> >>> To: ccielab@groupstudy.com
> >>> Subject: Lock&key
> >>>
> >>> Hi,GS
> >>> Here is lock&key question: R1 should go throught and be authenticated
> >> by R2
> >>> with username (ccie) and password (cisco), then R1 can telnet to other
> >>> routers.
> >>> I used dynamic access-list in lock&key. So, R1 can telnet to other
> >> routers
> >>> successfully.
> >>> However, I found R1 can not login R2 anymore with the same username
> and
> >>> password.
> >>> The output is as follows:
> >>> % List#DYNAMIC-DYC already contains this IP address pair
> >>> [Connection to 100.100.100.2 closed by foreign host]
> >>>
> >>> Except creating another username and password to allow R1 telnet and
> >> login
> >>> R2, is there other method to reach the target?
> >>>
> >>> thanks!
> >>>
> >>>
> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>
> >> = = = = = = = = = = = = = = = = = = = =
> >>
> >>
> >> !!!!!!!!!!!!!!!!Have a nice day.
> >>
> >>
> >> !!!!!!!!!!!!!!!!ian
> >> !!!!!!!!!!!!!!!!iyux2000@gmail.com
> >> !!!!!!!!!!!!!!!!!!!!2007-03-13
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> 

-- 
Narbik Kocharians
CCIE# 12410 (R&S, SP, Security)
CCSI# 30832
Network Learning, Inc. (CCIE class Instructor)
www.ccbootcamp.com (CCIE Training)

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:51 ART