From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Tue Mar 13 2007 - 04:58:07 ART
Darby,
People not only need to know the simplest solution but all possible
solutions. I was only adding additional solutions.
If you enter the lab after studying only the simplest solutions while
ignoring other possible solution you will not pass.
--Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP) bdennis@internetworkexpert.com Internetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Direct: 775-745-6404 (Outside the US and Canada)
On 3/13/07 12:48 AM, "Darby Weaver" <darbyweaver@yahoo.com> wrote:
> I second Narbik's vantage point. > > Usually the simplest way will typically suffice. > > Out-thinking the lab seems to be a common mis-strategy > sometimes. > > > > > --- Narbik Kocharians <narbikk@gmail.com> wrote: > >> Yes, there are many way to accomplish this task, but >> what i would recommend >> is to choose the easiest method first, i am sure >> that there are many 007 >> ways to do the same thing. >> Even for the test you should start with the most >> simple solution first and >> then go up or go down to the 007 stuff. >> >> On 3/12/07, Brian Dennis >> <bdennis@internetworkexpert.com> wrote: >> >>> Don't forget TCP ports 7000 + the rotary group >> number. Also you can use >>> NAT >>> as a solution (see below): >>> >>> Router#sho run | include Loop|ip add|nat >>> interface Loopback0 >>> ip address 1.1.1.1 255.255.255.255 >>> ip nat outside >>> ip nat inside source static tcp 1.1.1.1 23 1.1.1.1 >> 9001 extendable >>> Router#telnet 1.1.1.1 9001 >>> Trying 1.1.1.1, 9001 ... Open >>> >>> >>> User Access Verification >>> >>> Password: >>> Router> >>> >>> -- >>> >>> Brian Dennis, CCIE4 #2210 >> (R&S/ISP-Dial/Security/SP) >>> bdennis@internetworkexpert.com >>> >>> Internetwork Expert, Inc. >>> http://www.InternetworkExpert.com >>> Toll Free: 877-224-8987 >>> Direct: 775-745-6404 (Outside the US and Canada) >>> >>> >>> On 3/12/07 7:17 PM, "Narbik Kocharians" >> <narbikk@gmail.com> wrote: >>> >>>> You can actually configure the "rotary" command >> under the vty ports >>> followed >>>> by a number, let's say 1, the range is (1-127). >> This will allow the >>>> administrator to telnet in using port 3001 (3000 >> + the configured >>> number). >>>> Remember that you also need to allow Telnet for >> that port in the >>>> access-list, in this case 3001. >>>> >>>> access-list 100 permit tcp any any eq 3001 >>>> >>>> Line vty 0 ? >>>> rotary 1 >>>> exit >>>> >>>> >>>> >>>> On 3/12/07, ian <iyux2000@gmail.com> wrote: >>>>> >>>>> Victor Cappuccio,How are you#! >>>>> >>>>> From my experience, when the first >> authentication is verified, ( >>> e.g. >>>>> you configure lock and key on R1). >>>>> Then you can not telnet to R1. Is that truth? >> Is there some ways to >>> telnet >>>>> to R1 as well after the first authenticaiton? >>>>> >>>>> ======= 2007-03-11 11:50:11 What you've >> mentioned in your >>> letter#:======= >>>>> >>>>>> Hi, >>>>>> >>>>>> "clear access-template" is the command you are >> looking for? >>>>>> >>>>>> Welcome to Network Learning Inc RS/Security/SP >> Rack#7 >>>>>> For more information, please visit: >>>>>> >> > http://www.ccbootcamp.com/racks/rs-sec-sp-rack-access-faq.pdf >>>>>> PLEASE ERASE YOUR CONFIGS AFTER YOU ARE >> FINISHED! >>>>>> >>>>>> User Access Verification >>>>>> >>>>>> Username: victor >>>>>> Password: >>>>>> >>>>>> rack7>show user >>>>>> Line User Host(s) >> Idle Location >>>>>> * 66 vty 0 victor idle >> 00:00:00 66.239.105.148 >>>>>> >>>>>> Interface User Mode >> Idle Peer >>>>> Address >>>>>> >>>>>> rack7>R2 >>>>>> Trying r2 (1.1.1.1, 2034)... Open >>>>>> >>>>>> R2(config)#ip access-list extended 100 >>>>>> R2(config-ext-nacl)#permit tcp any any eq >> telnet >>>>>> R2(config-ext-nacl)# permit ospf any any >>>>>> R2(config-ext-nacl)# dynamic LOCK_KEY permit >> icmp any any echo >>>>>> R2(config-ext-nacl)# deny ip any any >>>>>> R2(config-ext-nacl)#int f0/0 >>>>>> R2(config-if)#ip access-gr 100 in >>>>>> >>>>>> !Now from R1 lets try this.. >>>>>> >>>>>> rack7>1 >>>>>> [Resuming connection 1 to R1 ... ] >>>>>> >>>>>> R1# >>>>>> R1# >>>>>> R1# >>>>>> R1#ping 2.2.2.2 >>>>>> >>>>>> Type escape sequence to abort. >>>>>> Sending 5, 100-byte ICMP Echos to 2.2.2.2, >> timeout is 2 seconds: >>>>>> U.U.. >>>>>> Success rate is 0 percent (0/5) >>>>>> R1# >>>>>> This is because the ACL is denying that >> traffic >>>>>> >>>>>> ! R1#telnet 2.2.2.2 >>>>>> Trying 2.2.2.2 ... Open >>>>>> >>>>>> >>>>>> User Access Verification >>>>>> >>>>>> Username: ccbootcamp >>>>>> Password: >>>>>> R2>access-enable timeout 5 >>>>>> R2>exit >>>>>> >>>>>> [Connection to 2.2.2.2 closed by foreign host] >>>>>> R1#ping 2.2.2.2 >>>>>> >>>>>> Type escape sequence to abort. >>>>>> Sending 5, 100-byte ICMP Echos to 2.2.2.2, >> timeout is 2 seconds: >>>>>> !!!!! >>>>>> Success rate is 100 percent (5/5), round-trip >> min/avg/max = 1/1/4 ms >>>>>> R1# >>>>>> >>>>>> !lets see how it is now on R2 >>>>>> >>>>>> R2#show ip access-list >>>>>> Extended IP access list 100 >>>>>> 10 permit tcp any any eq telnet (132 >> matches) >>>>>> 20 permit ospf any any (16 matches) >>>>>> 30 Dynamic LOCK_KEY permit icmp any any >> echo >>>>>> permit icmp any any echo (15 matches) >> (time left 255) >>>>>> 40 deny ip any any (749 matches) >>>>>> R2# >>>>>> >>>>>> R2#show ip access-list >>>>>> Extended IP access list 100 >>>>>> 10 permit tcp any any eq telnet (132 >> matches) >>>>>> 20 permit ospf any any (16 matches) >>>>>> 30 Dynamic LOCK_KEY permit icmp any any >> echo >>>>>> permit icmp any any echo (15 matches) >> (time left 255) >>>>>> 40 deny ip any any (749 matches) >>>>>> R2#clear access-template 100 LOCK_KEY any any >>>>>> R2#show ip access-list >>>>>> Extended IP access list 100 >>>>>> 10 permit tcp any any eq telnet (132 >> matches) >>>>>> 20 permit ospf any any (19 matches) >>>>>> 30 Dynamic LOCK_KEY permit icmp any any >> echo >>>>>> 40 deny ip any any (867 matches) >>>>>> R2# >>>>>> rack7>1 >>>>>> [Resuming connection 1 to R1 ... ] >>>>>> >>>>>> R1# >>>>>> R1#ping 2.2.2.2 >>>>>> >>>>>> Type escape sequence to abort. >>>>>> Sending 5, 100-byte ICMP Echos to 2.2.2.2, >> timeout is 2 seconds: >>>>>> .U.U. >>>>>> Success rate is 0 percent (0/5) >>>>>> R1# >>>>>> >>>>>> thanks, >>>>>> Victor Cappuccio.- >>>>>> Network Learning Inc - A Cisco Sponsored >> Organization (SO) YES! We >>> take >>>>>> Cisco Learning credits! >>>>>> victor@ccbootcamp.com >>>>>> http://www.ccbootcamp.com (Cisco Training and >> Rental Racks) >>>>>> http://www.ccbootcamp.com/groupstudy.html >> (groupstudy member >>> discounts!) >>>>>> Voice: 702-968-5100 >>>>>> FAX: 702-446-8012 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: nobody@groupstudy.com on behalf of >> achievewoo@gmail.com >>>>>> Sent: Sat 3/10/2007 15:46 >>>>>> To: ccielab@groupstudy.com >>>>>> Subject: Lock&key >>>>>> >>>>>> Hi,GS >>>>>> Here is lock&key question: R1 should go >> throught and be authenticated >>>>> by R2 >>>>>> with username (ccie) and password (cisco), >> then R1 can telnet to other >>>>>> routers. >>>>>> I used dynamic access-list in lock&key. So, >> R1 can telnet to other >>>>> routers >>>>>> successfully. >>>>>> However, I found R1 can not login R2 anymore >> with the same username >>> and >>>>>> password. >>>>>> The output is as follows: >>>>>> % List#DYNAMIC-DYC already contains this IP >> address pair >>>>>> [Connection to 100.100.100.2 closed by foreign >> host] >>>>>> >>>>>> Except creating another username and >> password to allow R1 telnet and >>>>> login >>>>>> R2, is there other method to reach the target? >>>>>> >>>>>> thanks! >>>>>> >>>>>> >>> >> > _______________________________________________________________________ >>>>>> Subscription information may be found at: >>>>>> http://www.groupstudy.com/list/CCIELab.html >>>>>> >>>>>> >>> >> > _______________________________________________________________________ >>>>>> Subscription information may be found at: >>>>>> http://www.groupstudy.com/list/CCIELab.html >>>>> >>>>> = = = = = = = = = = = = = = = = = = = = >>>>> >>>>> >>>>> !!!!!!!!!!!!!!!!Have a nice day. >>>>> >>>>> >>>>> !!!!!!!!!!!!!!!!ian >>>>> !!!!!!!!!!!!!!!!iyux2000@gmail.com >>>>> !!!!!!!!!!!!!!!!!!!!2007-03-13 >>>>> >>>>> >> > _______________________________________________________________________ >>>>> Subscription information may be found at: >>>>> http://www.groupstudy.com/list/CCIELab.html >>> >>> >> > _______________________________________________________________________ >>> Subscription information may be found at: >>> http://www.groupstudy.com/list/CCIELab.html >>> >> >> >> >> -- >> Narbik Kocharians >> CCIE# 12410 (R&S, SP, Security) >> CCSI# 30832 >> Network Learning, Inc. (CCIE class Instructor) >> www.ccbootcamp.com (CCIE Training) >> >> > _______________________________________________________________________ >> Subscription information may be found at: >> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:51 ART