Re: Lock&key

From: Darby Weaver (darbyweaver@yahoo.com)
Date: Tue Mar 13 2007 - 04:48:33 ART

• Next message: Brian Dennis: "Re: Lock&key"
• Previous message: Darby Weaver: "Re: can i schedule more than one lab date?"
• Maybe in reply to: achievewoo@gmail.com: "Lock&key"
• Next in thread: Brian Dennis: "Re: Lock&key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I second Narbik's vantage point.

Usually the simplest way will typically suffice.

Out-thinking the lab seems to be a common mis-strategy
sometimes.

--- Narbik Kocharians <narbikk@gmail.com> wrote:

> Yes, there are many way to accomplish this task, but
> what i would recommend
> is to choose the easiest method first, i am sure
> that there are many 007
> ways to do the same thing.
> Even for the test you should start with the most
> simple solution first and
> then go up or go down to the 007 stuff.
>
> On 3/12/07, Brian Dennis
> <bdennis@internetworkexpert.com> wrote:
>
> > Don't forget TCP ports 7000 + the rotary group
> number. Also you can use
> > NAT
> > as a solution (see below):
> >
> > Router#sho run | include Loop|ip add|nat
> > interface Loopback0
> > ip address 1.1.1.1 255.255.255.255
> > ip nat outside
> > ip nat inside source static tcp 1.1.1.1 23 1.1.1.1
> 9001 extendable
> > Router#telnet 1.1.1.1 9001
> > Trying 1.1.1.1, 9001 ... Open
> >
> >
> > User Access Verification
> >
> > Password:
> > Router>
> >
> > --
> >
> > Brian Dennis, CCIE4 #2210
> (R&S/ISP-Dial/Security/SP)
> > bdennis@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 775-745-6404 (Outside the US and Canada)
> >
> >
> > On 3/12/07 7:17 PM, "Narbik Kocharians"
> <narbikk@gmail.com> wrote:
> >
> > > You can actually configure the "rotary" command
> under the vty ports
> > followed
> > > by a number, let's say 1, the range is (1-127).
> This will allow the
> > > administrator to telnet in using port 3001 (3000
> + the configured
> > number).
> > > Remember that you also need to allow Telnet for
> that port in the
> > > access-list, in this case 3001.
> > >
> > > access-list 100 permit tcp any any eq 3001
> > >
> > > Line vty 0 ?
> > > rotary 1
> > > exit
> > >
> > >
> > >
> > > On 3/12/07, ian <iyux2000@gmail.com> wrote:
> > >>
> > >> Victor Cappuccio,How are you#!
> > >>
> > >> From my experience, when the first
> authentication is verified, (
> > e.g.
> > >> you configure lock and key on R1).
> > >> Then you can not telnet to R1. Is that truth?
> Is there some ways to
> > telnet
> > >> to R1 as well after the first authenticaiton?
> > >>
> > >> ======= 2007-03-11 11:50:11 What you've
> mentioned in your
> > letter#:=======
> > >>
> > >>> Hi,
> > >>>
> > >>> "clear access-template" is the command you are
> looking for?
> > >>>
> > >>> Welcome to Network Learning Inc RS/Security/SP
> Rack#7
> > >>> For more information, please visit:
> > >>>
>
http://www.ccbootcamp.com/racks/rs-sec-sp-rack-access-faq.pdf
> > >>> PLEASE ERASE YOUR CONFIGS AFTER YOU ARE
> FINISHED!
> > >>>
> > >>> User Access Verification
> > >>>
> > >>> Username: victor
> > >>> Password:
> > >>>
> > >>> rack7>show user
> > >>> Line User Host(s)
> Idle Location
> > >>> * 66 vty 0 victor idle
> 00:00:00 66.239.105.148
> > >>>
> > >>> Interface User Mode
> Idle Peer
> > >> Address
> > >>>
> > >>> rack7>R2
> > >>> Trying r2 (1.1.1.1, 2034)... Open
> > >>>
> > >>> R2(config)#ip access-list extended 100
> > >>> R2(config-ext-nacl)#permit tcp any any eq
> telnet
> > >>> R2(config-ext-nacl)# permit ospf any any
> > >>> R2(config-ext-nacl)# dynamic LOCK_KEY permit
> icmp any any echo
> > >>> R2(config-ext-nacl)# deny ip any any
> > >>> R2(config-ext-nacl)#int f0/0
> > >>> R2(config-if)#ip access-gr 100 in
> > >>>
> > >>> !Now from R1 lets try this..
> > >>>
> > >>> rack7>1
> > >>> [Resuming connection 1 to R1 ... ]
> > >>>
> > >>> R1#
> > >>> R1#
> > >>> R1#
> > >>> R1#ping 2.2.2.2
> > >>>
> > >>> Type escape sequence to abort.
> > >>> Sending 5, 100-byte ICMP Echos to 2.2.2.2,
> timeout is 2 seconds:
> > >>> U.U..
> > >>> Success rate is 0 percent (0/5)
> > >>> R1#
> > >>> This is because the ACL is denying that
> traffic
> > >>>
> > >>> ! R1#telnet 2.2.2.2
> > >>> Trying 2.2.2.2 ... Open
> > >>>
> > >>>
> > >>> User Access Verification
> > >>>
> > >>> Username: ccbootcamp
> > >>> Password:
> > >>> R2>access-enable timeout 5
> > >>> R2>exit
> > >>>
> > >>> [Connection to 2.2.2.2 closed by foreign host]
> > >>> R1#ping 2.2.2.2
> > >>>
> > >>> Type escape sequence to abort.
> > >>> Sending 5, 100-byte ICMP Echos to 2.2.2.2,
> timeout is 2 seconds:
> > >>> !!!!!
> > >>> Success rate is 100 percent (5/5), round-trip
> min/avg/max = 1/1/4 ms
> > >>> R1#
> > >>>
> > >>> !lets see how it is now on R2
> > >>>
> > >>> R2#show ip access-list
> > >>> Extended IP access list 100
> > >>> 10 permit tcp any any eq telnet (132
> matches)
> > >>> 20 permit ospf any any (16 matches)
> > >>> 30 Dynamic LOCK_KEY permit icmp any any
> echo
> > >>> permit icmp any any echo (15 matches)
> (time left 255)
> > >>> 40 deny ip any any (749 matches)
> > >>> R2#
> > >>>
> > >>> R2#show ip access-list
> > >>> Extended IP access list 100
> > >>> 10 permit tcp any any eq telnet (132
> matches)
> > >>> 20 permit ospf any any (16 matches)
> > >>> 30 Dynamic LOCK_KEY permit icmp any any
> echo
> > >>> permit icmp any any echo (15 matches)
> (time left 255)
> > >>> 40 deny ip any any (749 matches)
> > >>> R2#clear access-template 100 LOCK_KEY any any
> > >>> R2#show ip access-list
> > >>> Extended IP access list 100
> > >>> 10 permit tcp any any eq telnet (132
> matches)
> > >>> 20 permit ospf any any (19 matches)
> > >>> 30 Dynamic LOCK_KEY permit icmp any any
> echo
> > >>> 40 deny ip any any (867 matches)
> > >>> R2#
> > >>> rack7>1
> > >>> [Resuming connection 1 to R1 ... ]
> > >>>
> > >>> R1#
> > >>> R1#ping 2.2.2.2
> > >>>
> > >>> Type escape sequence to abort.
> > >>> Sending 5, 100-byte ICMP Echos to 2.2.2.2,
> timeout is 2 seconds:
> > >>> .U.U.
> > >>> Success rate is 0 percent (0/5)
> > >>> R1#
> > >>>
> > >>> thanks,
> > >>> Victor Cappuccio.-
> > >>> Network Learning Inc - A Cisco Sponsored
> Organization (SO) YES! We
> > take
> > >>> Cisco Learning credits!
> > >>> victor@ccbootcamp.com
> > >>> http://www.ccbootcamp.com (Cisco Training and
> Rental Racks)
> > >>> http://www.ccbootcamp.com/groupstudy.html
> (groupstudy member
> > discounts!)
> > >>> Voice: 702-968-5100
> > >>> FAX: 702-446-8012
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> -----Original Message-----
> > >>> From: nobody@groupstudy.com on behalf of
> achievewoo@gmail.com
> > >>> Sent: Sat 3/10/2007 15:46
> > >>> To: ccielab@groupstudy.com
> > >>> Subject: Lock&key
> > >>>
> > >>> Hi,GS
> > >>> Here is lock&key question: R1 should go
> throught and be authenticated
> > >> by R2
> > >>> with username (ccie) and password (cisco),
> then R1 can telnet to other
> > >>> routers.
> > >>> I used dynamic access-list in lock&key. So,
> R1 can telnet to other
> > >> routers
> > >>> successfully.
> > >>> However, I found R1 can not login R2 anymore
> with the same username
> > and
> > >>> password.
> > >>> The output is as follows:
> > >>> % List#DYNAMIC-DYC already contains this IP
> address pair
> > >>> [Connection to 100.100.100.2 closed by foreign
> host]
> > >>>
> > >>> Except creating another username and
> password to allow R1 telnet and
> > >> login
> > >>> R2, is there other method to reach the target?
> > >>>
> > >>> thanks!
> > >>>
> > >>>
> >
>

• Next message: Brian Dennis: "Re: Lock&key"
• Previous message: Darby Weaver: "Re: can i schedule more than one lab date?"
• Maybe in reply to: achievewoo@gmail.com: "Lock&key"
• Next in thread: Brian Dennis: "Re: Lock&key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:51 ART