RE: Please help with Terminal Server

From: Bai, Qing (Qing.Bai@flukenetworks.com)
Date: Thu Jun 07 2007 - 01:12:07 ART

• Next message: Michael Zuo: "Good overview book for Security Technologies"
• Previous message: M S: "RE: 2nd Attempt Curse"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

In my lab environment, I configure an ACL to block that traffic.

ip access-list extended block20xx
 deny tcp any host xxx.xxx.xxx.xxx range 2066 2097
 permit ip any any

then apply it to the interface

int f0/0
 ip access-group block20xx in

you can try to use your DOS prompt to try to telnet to those ports and
use show ip access-list block20xx to verify that.

-BQ

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ronnie Higginbotham
Sent: 28 May, 2007 7:49 PM
To: nhatphuc; Ronnie Higginbotham; Cisco certification
Subject: Re: Please help with Terminal Server

In a real world you would more than likely apply aaa to all devices.
Which
will require you to authenticate on r1 once you reverse telnet to it.
Depending on how the remote router AAA is configured.

Ronnie

----- Original Message -----
From: "nhatphuc" <nhatphuc@gmail.com>
To: "Ronnie Higginbotham" <rhigginb@swbell.net>; "Cisco certification"
<ccielab@groupstudy.com>
Sent: Sunday, May 27, 2007 11:04 PM
Subject: Re: Please help with Terminal Server

> Hi Ronnie,
>
> With the second test, I "reverse" telnet directly into devices through
> TS from a PC, the command is: c:\> telnet terminal_server 2001
>
> This bring me directly to the router on line 2001 without
authentication.
>
> How can I prevent this?
>
> Phuc
>
> On 5/28/07, Ronnie Higginbotham <ronniepaul@hotmail.com> wrote:
>> Just so I understand you have already telneted into your
access/terminal
>> server and then typed telnet r1 which takes you to router 1 which now
has
>> no
>> re-authentication applied to the line port.
>>
>> Then as a second test you then retelneted into your access/terminal
>> server
>> typed your username and password. Once authenticated you typed telnet
>> terminal_server 2001? Which does the same thing as above 2001 will
equal
>> r1.
>> So in summary the answer to your question will be no there is no way
to
>> prevent this.
>>
>> Ronnie
>>
>> ----- Original Message -----
>> From: "nhatphuc" <nhatphuc@gmail.com>
>> To: "Ronnie Higginbotham" <rhigginb@swbell.net>; "Cisco
certification"
>> <ccielab@groupstudy.com>
>> Sent: Sunday, May 27, 2007 12:56 PM
>> Subject: Re: Please help with Terminal Server
>>
>>
>> > Hi Ronnie,
>> >
>> > This will disable authentication when I reverse telnet.
>> >
>> > But if I telnet directly to tty line like this: telnet
terminal_server
>> > 2001, the terminal server will let me in without asking for the
>> > username/password.
>> >
>> > Is there anyway to prevent this?
>> >
>> > Thanks
>> >
>> > Phuc
>> >
>> > On 5/27/07, Ronnie Higginbotham <ronniepaul@hotmail.com> wrote:
>> >> Phuc,
>> >>
>> >> Try this
>> >>
>> >> aaa authentication login NONE none
>> >>
>> >> line 1 16 <<<<Port numbers could vary
>> >> login authentication NONE
>> >>
>> >> Ronnie
>> >> CCIE 13834
>> >>
>> >> ----- Original Message -----
>> >> From: "nhatphuc" <nhatphuc@gmail.com>
>> >> To: "Darby Weaver" <darbyweaver@yahoo.com>; "Cisco certification"
>> >> <ccielab@groupstudy.com>
>> >> Sent: Saturday, May 26, 2007 1:51 PM
>> >> Subject: Re: Please help with Terminal Server
>> >>
>> >>
>> >> > Hi Darby,
>> >> >
>> >> > I can configure this with ACS Server using tacacs+ autocommand
AV
>> >> > pair. But I want to disable some messages and extra
authentication
>> >> > when reverse telnetting to router. I've asked this in separate
>> >> > mails.
>> >> >
>> >> > If you know how to do this, please help me.
>> >> >
>> >> > Thanks
>> >> >
>> >> > Phuc
>> >> >
>> >> > On 5/26/07, nhatphuc <nhatphuc@gmail.com> wrote:
>> >> >> HI Darby,
>> >> >>
>> >> >> I've just seen it here:
>> >> >>
>> >> >> http://www.internetworkexpert.com/resources/termserv.htm
>> >> >>
>> >> >> Phuc
>> >> >>
>> >> >>
>> >> >> On 5/26/07, Darby Weaver <darbyweaver@yahoo.com> wrote:
>> >> >> > Did you see this on a lab recently?
>> >> >> >
>> >> >> > Out of my experience - I have not enabled aaa for term
>> >> >> > servers at home to try it out.
>> >> >> >
>> >> >> > What do you get?
>> >> >> >
>> >> >> > If the option exists then that would likely be the
>> >> >> > one.
>> >> >> >
>> >> >> > Darby
>> >> >> > --- nhatphuc <nhatphuc@gmail.com> wrote:
>> >> >> >
>> >> >> > > Hi Darby,
>> >> >> > >
>> >> >> > > It works if I configure:
>> >> >> > >
>> >> >> > > line vty 0 4
>> >> >> > > login local
>> >> >> > >
>> >> >> > > But it doesn't if:
>> >> >> > >
>> >> >> > > aaa new-model
>> >> >> > > aaa authentication login TELNET local
>> >> >> > > line vty 0 4
>> >> >> > > login authentication TELNET
>> >> >> > >
>> >> >> > > Do I have to enable aaa authorization reverse-access
>> >> >> > > TELNET?
>> >> >> > >
>> >> >> > > Thanks
>> >> >> > >
>> >> >> > > Phuc
>> >> >> > >
>> >> >> > >
>> >> >> > >
>> >> >> > > On 5/26/07, Darby Weaver <darbyweaver@yahoo.com>
>> >> >> > > wrote:
>> >> >> > > > Let me take a stab at this one:
>> >> >> > > >
>> >> >> > > > username R1 password cisco
>> >> >> > > > username R1 autocommand R1 or Telnet R1
>> >> >> > > >
>> >> >> > > > username All password cisco
>> >> >> > > > username All autocommand x.x.x.x or Telnet x.x.x.x
>> >> >> > > >
>> >> >> > > > username R2 password cisco
>> >> >> > > > username R2 autocommand R2 or Telnet R2
>> >> >> > > >
>> >> >> > > >
>> >> >> > > > line vty 0 4
>> >> >> > > > login local
>> >> >> > > >
>> >> >> > > > Try this and let me know if doesn't work.
>> >> >> > > >
>> >> >> > > > Now you switch R1 for the loopback:2001
>> >> >> > > > And R2 for loopback:2002
>> >> >> > > >
>> >> >> > > > Exchange loopback for whatever IP Address you used
>> >> >> > > for
>> >> >> > > > the reverse telnet IP Address.
>> >> >> > > >
>> >> >> > > >
>> >> >> > > >
>> >> >> > > >
>> >> >> > > > And you could wrap an acl around it and/or perhaps
>> >> >> > > use
>> >> >> > > > SSH depening on if your TS supports SSH.
>> >> >> > > >
>> >> >> > > > Check me on this - since I am shooting from the
>> >> >> > > hip.
>> >> >> > > > There may be one more step, but I this will do
>> >> >> > > what
>> >> >> > > > you require.
>> >> >> > > >
>> >> >> > > > Let use know if I missed anything please.
>> >> >> > > >
>> >> >> > > > Darby
>> >> >> > > >
>> >> >> > > >
>> >> >> > > >
>> >> >> > > >
>> >> >> > > > --- nhatphuc <nhatphuc@gmail.com> wrote:
>> >> >> > > >
>> >> >> > > > > Hi Group,
>> >> >> > > > >
>> >> >> > > > > I'm setting up my Terminal Server. How do I
>> >> >> > > > > configure for this requirement?
>> >> >> > > > >
>> >> >> > > > > If I login using username all it will connect to
>> >> >> > > > > terminal server
>> >> >> > > > > If I login using username r1 it will connect
>> >> >> > > > > directly to r1
>> >> >> > > > > If I login using username r2 it will connect
>> >> >> > > > > directly to r2
>> >> >> > > > > .....
>> >> >> > > > >
>> >> >> > > > > I'm trying to use username.... autocommand, but
>> >> >> > > it
>> >> >> > > > > doesn't work.
>> >> >> > > > >
>> >> >> > > > > Thanks
>> >> >> > > > >
>> >> >> > > > > Phuc
>> >> >> > > > >
>> >> >> > > > >
>> >> >> > > >
>> >> >> > >
>> >> >> >

• Next message: Michael Zuo: "Good overview book for Security Technologies"
• Previous message: M S: "RE: 2nd Attempt Curse"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:47 ART