From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Tue Mar 13 2007 - 03:42:23 ART
The key in the CCIE lab is to know all of the 30072 ways to solve a task ;-)
Never hurts when someone adds a couple more ways ;-)
--Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP) bdennis@internetworkexpert.com
Internetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Direct: 775-745-6404 (Outside the US and Canada)
On 3/12/07 11:31 PM, "Narbik Kocharians" <narbikk@gmail.com> wrote:
> Yes, there are many way to accomplish this task, but what i would recommend is > to choose the easiest method first, i am sure that there are many 007 ways to > do the same thing. > Even for the test you should start with the most simple solution first and > then go up or go down to the 007 stuff. > > On 3/12/07, Brian Dennis <bdennis@internetworkexpert.com> wrote: >> Don't forget TCP ports 7000 + the rotary group number. Also you can use NAT >> as a solution (see below): >> >> Router#sho run | include Loop|ip add|nat >> interface Loopback0 >> ip address 1.1.1.1 <http://1.1.1.1> 255.255.255.255 <http://255.255.255.255> >> ip nat outside >> ip nat inside source static tcp 1.1.1.1 <http://1.1.1.1> 23 1.1.1.1 >> <http://1.1.1.1> 9001 extendable >> Router#telnet 1.1.1.1 <http://1.1.1.1> 9001 >> Trying 1.1.1.1 <http://1.1.1.1> , 9001 ... Open >> >> >> User Access Verification >> >> Password: >> Router> >> >> -- >> >> Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP) >> bdennis@internetworkexpert.com >> >> Internetwork Expert, Inc. >> http://www.InternetworkExpert.com >> Toll Free: 877-224-8987 >> Direct: 775-745-6404 (Outside the US and Canada) >> >> >> On 3/12/07 7:17 PM, "Narbik Kocharians" < narbikk@gmail.com> wrote: >> >>> > You can actually configure the "rotary" command under the vty ports >>> followed >>> > by a number, let's say 1, the range is (1-127). This will allow the >>> > administrator to telnet in using port 3001 (3000 + the configured number). >>> > Remember that you also need to allow Telnet for that port in the >>> > access-list, in this case 3001. >>> > >>> > access-list 100 permit tcp any any eq 3001 >>> > >>> > Line vty 0 ? >>> > rotary 1 >>> > exit >>> > >>> > >>> > >>> > On 3/12/07, ian <iyux2000@gmail.com> wrote: >>>> >> >>>> >> Victor Cappuccio,How are you#! >>>> >> >>>> >> From my experience, when the first authentication is verified, >>>> (e.g. >>>> >> you configure lock and key on R1). >>>> >> Then you can not telnet to R1. Is that truth? Is there some ways to >>>> telnet >>>> >> to R1 as well after the first authenticaiton? >>>> >> >>>> >> ======= 2007-03-11 11:50:11 What you've mentioned in your >>>> letter#:======= >>>> >> >>>>> >>> Hi, >>>>> >>> >>>>> >>> "clear access-template" is the command you are looking for? >>>>> >>> >>>>> >>> Welcome to Network Learning Inc RS/Security/SP Rack#7 >>>>> >>> For more information, please visit: >>>>> >>> http://www.ccbootcamp.com/racks/rs-sec-sp-rack-access-faq.pdf >>>>> >>> PLEASE ERASE YOUR CONFIGS AFTER YOU ARE FINISHED! >>>>> >>> >>>>> >>> User Access Verification >>>>> >>> >>>>> >>> Username: victor >>>>> >>> Password: >>>>> >>> >>>>> >>> rack7>show user >>>>> >>> Line User Host(s) Idle Location >>>>> >>> * 66 vty 0 victor idle 00:00:00 66.239.105.148 >>>>> <http://66.239.105.148> >>>>> >>> >>>>> >>> Interface User Mode Idle Peer >>>> >> Address >>>>> >>> >>>>> >>> rack7>R2 >>>>> >>> Trying r2 ( 1.1.1.1 <http://1.1.1.1> , 2034)... Open >>>>> >>> >>>>> >>> R2(config)#ip access-list extended 100 >>>>> >>> R2(config-ext-nacl)#permit tcp any any eq telnet >>>>> >>> R2(config-ext-nacl)# permit ospf any any >>>>> >>> R2(config-ext-nacl)# dynamic LOCK_KEY permit icmp any any echo >>>>> >>> R2(config-ext-nacl)# deny ip any any >>>>> >>> R2(config-ext-nacl)#int f0/0 >>>>> >>> R2(config-if)#ip access-gr 100 in >>>>> >>> >>>>> >>> !Now from R1 lets try this.. >>>>> >>> >>>>> >>> rack7>1 >>>>> >>> [Resuming connection 1 to R1 ... ] >>>>> >>> >>>>> >>> R1# >>>>> >>> R1# >>>>> >>> R1# >>>>> >>> R1#ping 2.2.2.2 <http://2.2.2.2> >>>>> >>> >>>>> >>> Type escape sequence to abort. >>>>> >>> Sending 5, 100-byte ICMP Echos to 2.2.2.2 <http://2.2.2.2> , timeout >>>>> is 2 seconds: >>>>> >>> U.U.. >>>>> >>> Success rate is 0 percent (0/5) >>>>> >>> R1# >>>>> >>> This is because the ACL is denying that traffic >>>>> >>> >>>>> >>> ! R1#telnet 2.2.2.2 <http://2.2.2.2> >>>>> >>> Trying 2.2.2.2 <http://2.2.2.2> ... Open >>>>> >>> >>>>> >>> >>>>> >>> User Access Verification >>>>> >>> >>>>> >>> Username: ccbootcamp >>>>> >>> Password: >>>>> >>> R2>access-enable timeout 5 >>>>> >>> R2>exit >>>>> >>> >>>>> >>> [Connection to 2.2.2.2 <http://2.2.2.2> closed by foreign host] >>>>> >>> R1#ping 2.2.2.2 <http://2.2.2.2> >>>>> >>> >>>>> >>> Type escape sequence to abort. >>>>> >>> Sending 5, 100-byte ICMP Echos to 2.2.2.2 <http://2.2.2.2> , timeout >>>>> is 2 seconds: >>>>> >>> !!!!! >>>>> >>> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms >>>>> >>> R1# >>>>> >>> >>>>> >>> !lets see how it is now on R2 >>>>> >>> >>>>> >>> R2#show ip access-list >>>>> >>> Extended IP access list 100 >>>>> >>> 10 permit tcp any any eq telnet (132 matches) >>>>> >>> 20 permit ospf any any (16 matches) >>>>> >>> 30 Dynamic LOCK_KEY permit icmp any any echo >>>>> >>> permit icmp any any echo (15 matches) (time left 255) >>>>> >>> 40 deny ip any any (749 matches) >>>>> >>> R2# >>>>> >>> >>>>> >>> R2#show ip access-list >>>>> >>> Extended IP access list 100 >>>>> >>> 10 permit tcp any any eq telnet (132 matches) >>>>> >>> 20 permit ospf any any (16 matches) >>>>> >>> 30 Dynamic LOCK_KEY permit icmp any any echo >>>>> >>> permit icmp any any echo (15 matches) (time left 255) >>>>> >>> 40 deny ip any any (749 matches) >>>>> >>> R2#clear access-template 100 LOCK_KEY any any >>>>> >>> R2#show ip access-list >>>>> >>> Extended IP access list 100 >>>>> >>> 10 permit tcp any any eq telnet (132 matches) >>>>> >>> 20 permit ospf any any (19 matches) >>>>> >>> 30 Dynamic LOCK_KEY permit icmp any any echo >>>>> >>> 40 deny ip any any (867 matches) >>>>> >>> R2# >>>>> >>> rack7>1 >>>>> >>> [Resuming connection 1 to R1 ... ] >>>>> >>> >>>>> >>> R1# >>>>> >>> R1#ping 2.2.2.2 <http://2.2.2.2> >>>>> >>> >>>>> >>> Type escape sequence to abort. >>>>> >>> Sending 5, 100-byte ICMP Echos to 2.2.2.2 <http://2.2.2.2> , timeout >>>>> is 2 seconds: >>>>> >>> .U.U. >>>>> >>> Success rate is 0 percent (0/5) >>>>> >>> R1# >>>>> >>> >>>>> >>> thanks, >>>>> >>> Victor Cappuccio.- >>>>> >>> Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We >>>>> take >>>>> >>> Cisco Learning credits! >>>>> >>> victor@ccbootcamp.com >>>>> >>> http://www.ccbootcamp.com (Cisco Training and Rental Racks) >>>>> >>> http://www.ccbootcamp.com/groupstudy.html (groupstudy member >>>>> discounts!) >>>>> >>> Voice: 702-968-5100 >>>>> >>> FAX: 702-446-8012 >>>>> >>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> >>> -----Original Message----- >>>>> >>> From: nobody@groupstudy.com on behalf of achievewoo@gmail.com >>>>> >>> Sent: Sat 3/10/2007 15:46 >>>>> >>> To: ccielab@groupstudy.com >>>>> >>> Subject: Lock&key >>>>> >>> >>>>> >>> Hi,GS >>>>> >>> Here is lock&key question: R1 should go throught and be authenticated >>>> >> by R2 >>>>> >>> with username (ccie) and password (cisco), then R1 can telnet to other >>>>> >>> routers. >>>>> >>> I used dynamic access-list in lock&key. So, R1 can telnet to other >>>> >> routers >>>>> >>> successfully. >>>>> >>> However, I found R1 can not login R2 anymore with the same username and >>>>> >>> password. >>>>> >>> The output is as follows: >>>>> >>> % List#DYNAMIC-DYC already contains this IP address pair >>>>> >>> [Connection to 100.100.100.2 <http://100.100.100.2> closed by foreign >>>>> host] >>>>> >>> >>>>> >>> Except creating another username and password to allow R1 telnet and >>>> >> login >>>>> >>> R2, is there other method to reach the target? >>>>> >>> >>>>> >>> thanks! >>>>> >>> >>>>> >>> >>>>> _______________________________________________________________________ >>>>> >>> Subscription information may be found at: >>>>> >>> http://www.groupstudy.com/list/CCIELab.html >>>>> >>> >>>>> >>> >>>>> _______________________________________________________________________ >>>>> >>> Subscription information may be found at: >>>>> >>> http://www.groupstudy.com/list/CCIELab.html >>>> >> >>>> >> = = = = = = = = = = = = = = = = = = = = >>>> >> >>>> >> >>>> >> !!!!!!!!!!!!!!!!Have a nice day. >>>> >> >>>> >> >>>> >> !!!!!!!!!!!!!!!!ian >>>> >> !!!!!!!!!!!!!!!!iyux2000@gmail.com <http://gmail.com> >>>> >> !!!!!!!!!!!!!!!!!!!!2007-03-13 >>>> >> >>>> >>
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:51 ART