From: Darby Weaver (darbyweaver@yahoo.com)
Date: Tue Mar 13 2007 - 05:07:55 ART
Agreed.
However, I would note that some of the scenarios that
one may be asked to perform that are outside of the
scope of the lab, while great in theory, are not
necessarily a benefit of a lab candidates in every
single case.
I think you use the example of the being able to
configure a router to send output to a printer for
example.
I can think of a few other things that are very nice
to know but may be outside of the scope of the lab.
It is late and my maintenance window is now
complete... Gotta sleep too...
I do think Victor is doing a great job at labbing up
these scenarios and sharing his results here on
GroupStudy and naturally it is always nice to know a
few more ways to do mostly everything...
Thanks to everyone for their contributions.
:)
--- Brian Dennis <bdennis@internetworkexpert.com>
wrote:
> Darby,
> People not only need to know the simplest
> solution but all possible
> solutions. I was only adding additional solutions.
>
> If you enter the lab after studying only the
> simplest solutions while
> ignoring other possible solution you will not pass.
>
> --
>
> Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
>
> On 3/13/07 12:48 AM, "Darby Weaver"
> <darbyweaver@yahoo.com> wrote:
>
> > I second Narbik's vantage point.
> >
> > Usually the simplest way will typically suffice.
> >
> > Out-thinking the lab seems to be a common
> mis-strategy
> > sometimes.
> >
> >
> >
> >
> > --- Narbik Kocharians <narbikk@gmail.com> wrote:
> >
> >> Yes, there are many way to accomplish this task,
> but
> >> what i would recommend
> >> is to choose the easiest method first, i am sure
> >> that there are many 007
> >> ways to do the same thing.
> >> Even for the test you should start with the most
> >> simple solution first and
> >> then go up or go down to the 007 stuff.
> >>
> >> On 3/12/07, Brian Dennis
> >> <bdennis@internetworkexpert.com> wrote:
> >>
> >>> Don't forget TCP ports 7000 + the rotary group
> >> number. Also you can use
> >>> NAT
> >>> as a solution (see below):
> >>>
> >>> Router#sho run | include Loop|ip add|nat
> >>> interface Loopback0
> >>> ip address 1.1.1.1 255.255.255.255
> >>> ip nat outside
> >>> ip nat inside source static tcp 1.1.1.1 23
> 1.1.1.1
> >> 9001 extendable
> >>> Router#telnet 1.1.1.1 9001
> >>> Trying 1.1.1.1, 9001 ... Open
> >>>
> >>>
> >>> User Access Verification
> >>>
> >>> Password:
> >>> Router>
> >>>
> >>> --
> >>>
> >>> Brian Dennis, CCIE4 #2210
> >> (R&S/ISP-Dial/Security/SP)
> >>> bdennis@internetworkexpert.com
> >>>
> >>> Internetwork Expert, Inc.
> >>> http://www.InternetworkExpert.com
> >>> Toll Free: 877-224-8987
> >>> Direct: 775-745-6404 (Outside the US and Canada)
> >>>
> >>>
> >>> On 3/12/07 7:17 PM, "Narbik Kocharians"
> >> <narbikk@gmail.com> wrote:
> >>>
> >>>> You can actually configure the "rotary" command
> >> under the vty ports
> >>> followed
> >>>> by a number, let's say 1, the range is (1-127).
> >> This will allow the
> >>>> administrator to telnet in using port 3001
> (3000
> >> + the configured
> >>> number).
> >>>> Remember that you also need to allow Telnet for
> >> that port in the
> >>>> access-list, in this case 3001.
> >>>>
> >>>> access-list 100 permit tcp any any eq 3001
> >>>>
> >>>> Line vty 0 ?
> >>>> rotary 1
> >>>> exit
> >>>>
> >>>>
> >>>>
> >>>> On 3/12/07, ian <iyux2000@gmail.com> wrote:
> >>>>>
> >>>>> Victor Cappuccio,How are you#!
> >>>>>
> >>>>> From my experience, when the first
> >> authentication is verified, (
> >>> e.g.
> >>>>> you configure lock and key on R1).
> >>>>> Then you can not telnet to R1. Is that truth?
> >> Is there some ways to
> >>> telnet
> >>>>> to R1 as well after the first authenticaiton?
> >>>>>
> >>>>> ======= 2007-03-11 11:50:11 What you've
> >> mentioned in your
> >>> letter#:=======
> >>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> "clear access-template" is the command you
> are
> >> looking for?
> >>>>>>
> >>>>>> Welcome to Network Learning Inc
> RS/Security/SP
> >> Rack#7
> >>>>>> For more information, please visit:
> >>>>>>
> >>
> >
>
http://www.ccbootcamp.com/racks/rs-sec-sp-rack-access-faq.pdf
> >>>>>> PLEASE ERASE YOUR CONFIGS AFTER YOU ARE
> >> FINISHED!
> >>>>>>
> >>>>>> User Access Verification
> >>>>>>
> >>>>>> Username: victor
> >>>>>> Password:
> >>>>>>
> >>>>>> rack7>show user
> >>>>>> Line User Host(s)
> >> Idle Location
> >>>>>> * 66 vty 0 victor idle
> >> 00:00:00 66.239.105.148
> >>>>>>
> >>>>>> Interface User Mode
> >> Idle Peer
> >>>>> Address
> >>>>>>
> >>>>>> rack7>R2
> >>>>>> Trying r2 (1.1.1.1, 2034)... Open
> >>>>>>
> >>>>>> R2(config)#ip access-list extended 100
> >>>>>> R2(config-ext-nacl)#permit tcp any any eq
> >> telnet
> >>>>>> R2(config-ext-nacl)# permit ospf any any
> >>>>>> R2(config-ext-nacl)# dynamic LOCK_KEY permit
> >> icmp any any echo
> >>>>>> R2(config-ext-nacl)# deny ip any any
> >>>>>> R2(config-ext-nacl)#int f0/0
> >>>>>> R2(config-if)#ip access-gr 100 in
> >>>>>>
> >>>>>> !Now from R1 lets try this..
> >>>>>>
> >>>>>> rack7>1
> >>>>>> [Resuming connection 1 to R1 ... ]
> >>>>>>
> >>>>>> R1#
> >>>>>> R1#
> >>>>>> R1#
> >>>>>> R1#ping 2.2.2.2
> >>>>>>
> >>>>>> Type escape sequence to abort.
> >>>>>> Sending 5, 100-byte ICMP Echos to 2.2.2.2,
> >> timeout is 2 seconds:
> >>>>>> U.U..
> >>>>>> Success rate is 0 percent (0/5)
> >>>>>> R1#
> >>>>>> This is because the ACL is denying that
> >> traffic
> >>>>>>
> >>>>>> ! R1#telnet 2.2.2.2
> >>>>>> Trying 2.2.2.2 ... Open
> >>>>>>
> >>>>>>
> >>>>>> User Access Verification
> >>>>>>
> >>>>>> Username: ccbootcamp
> >>>>>> Password:
> >>>>>> R2>access-enable timeout 5
> >>>>>> R2>exit
> >>>>>>
> >>>>>> [Connection to 2.2.2.2 closed by foreign
> host]
> >>>>>> R1#ping 2.2.2.2
> >>>>>>
> >>>>>> Type escape sequence to abort.
> >>>>>> Sending 5, 100-byte ICMP Echos to 2.2.2.2,
> >> timeout is 2 seconds:
> >>>>>> !!!!!
> >>>>>> Success rate is 100 percent (5/5), round-trip
> >> min/avg/max = 1/1/4 ms
> >>>>>> R1#
> >>>>>>
> >>>>>> !lets see how it is now on R2
> >>>>>>
> >>>>>> R2#show ip access-list
> >>>>>> Extended IP access list 100
> >>>>>> 10 permit tcp any any eq telnet (132
> >> matches)
> >>>>>> 20 permit ospf any any (16 matches)
> >>>>>> 30 Dynamic LOCK_KEY permit icmp any any
> >> echo
> >>>>>> permit icmp any any echo (15 matches)
> >> (time left 255)
> >>>>>> 40 deny ip any any (749 matches)
> >>>>>> R2#
> >>>>>>
> >>>>>> R2#show ip access-list
> >>>>>> Extended IP access list 100
> >>>>>> 10 permit tcp any any eq telnet (132
> >> matches)
> >>>>>> 20 permit ospf any any (16 matches)
> >>>>>> 30 Dynamic LOCK_KEY permit icmp any any
> >> echo
> >>>>>> permit icmp any any echo (15 matches)
> >> (time left 255)
> >>>>>> 40 deny ip any any (749 matches)
> >>>>>> R2#clear access-template 100 LOCK_KEY any any
> >>>>>> R2#show ip access-list
> >>>>>> Extended IP access list 100
> >>>>>> 10 permit tcp any any eq telnet (132
> >> matches)
> >>>>>> 20 permit ospf any any (19 matches)
> >>>>>> 30 Dynamic LOCK_KEY permit icmp any any
> >> echo
> >>>>>> 40 deny ip any any (867 matches)
> >>>>>> R2#
> >>>>>> rack7>1
> >>>>>> [Resuming connection 1 to R1 ... ]
> >>>>>>
> >>>>>> R1#
> >>>>>> R1#ping 2.2.2.2
> >>>>>>
> >>>>>> Type escape sequence to abort.
> >>>>>> Sending 5, 100-byte ICMP Echos to 2.2.2.2,
> >> timeout is 2 seconds:
> >>>>>> .U.U.
> >>>>>> Success rate is 0 percent (0/5)
> >>>>>> R1#
> >>>>>>
> >>>>>> thanks,
> >>>>>> Victor Cappuccio.-
> >>>>>> Network Learning Inc - A Cisco Sponsored
> >> Organization (SO) YES! We
> >>> take
> >>>>>> Cisco Learning credits!
> >>>>>> victor@ccbootcamp.com
> >>>>>> http://www.ccbootcamp.com (Cisco Training and
> >> Rental Racks)
> >>>>>> http://www.ccbootcamp.com/groupstudy.html
> >> (groupstudy member
> >>> discounts!)
> >>>>>> Voice: 702-968-5100
> >>>>>> FAX: 702-446-8012
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: nobody@groupstudy.com on behalf of
> >> achievewoo@gmail.com
> >>>>>> Sent: Sat 3/10/2007 15:46
> >>>>>> To: ccielab@groupstudy.com
> >>>>>> Subject: Lock&key
> >>>>>>
> >>>>>> Hi,GS
> >>>>>> Here is lock&key question: R1 should go
> >> throught and be authenticated
> >>>>> by R2
> >>>>>> with username (ccie) and password (cisco),
> >> then R1 can telnet to other
> >>>>>> routers.
> >>>>>> I used dynamic access-list in lock&key. So,
> >> R1 can telnet to other
> >>>>> routers
> >>>>>> successfully.
> >>>>>> However, I found R1 can not login R2 anymore
> >> with the same username
> >>> and
> >>>>>> password.
> >>>>>> The output is as follows:
> >>>>>> % List#DYNAMIC-DYC already contains this IP
> >> address pair
> >>>>>> [Connection to 100.100.100.2 closed by
> foreign
> >> host]
> >>>>>>
> >>>>>> Except creating another username and
> >> password to allow R1 telnet and
> >>>>> login
> >>>>>> R2, is there other method to reach the
> target?
> >>>>>>
> >>>>>> thanks!
> >>>>>>
> >>>>>>
> >>>
> >>
> >
>
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:51 ART