Re: Lock and Key ACL

From: Mohamed M Moustafa (mmma@gawab.com)
Date: Sun Oct 28 2007 - 10:57:55 ART

• Next message: Uchil Perera: "Re: ip accounting for NAT"
• Previous message: Allan: "Re: Certification"
• Maybe in reply to: Simon Grace: "Lock and Key ACL"
• Next in thread: Farrukh Haroon: "Re: Lock and Key ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Simon,

This is simply because the logic of Lock and Key is that you have to
explicitly permit telnet to the router first then use the dynamic entry to
dynamically enable further access:

I don't know what specifically you are trying to do with the below
configuration, but here is a simple example that is used to authenticate a
user before being able to access through the router interface:

username CCIE password CCIE
username CCIE autocommand access-enable host
 
interface f0/0
 ip access-group ACCESS in

ip access-list extended ACCESS
 permit tcp any any eq telnet
 dynamic access permit ip any any

vty 0 4
 login local

And thus no traffic is accepted from the user until he telnets to the
router and trigger the dynamic entry.

I hope that i've been informative for you.

HTH,
Mohammed Mahmoud.

Simon Grace <SimonG@pcsystems.gr> wrote on 28 Oct 2007, 10:32 AM:
Subject: Lock and Key ACL
>Hi All,
>
>
>
>I'm having a slight problem trying to use dynamic ACL's in a lock and
>key situation.
>
>As far as I can see everything is configured correctly and the dynamic
>acl is being inserted okay but when I try to telnet
>
>On port 3389 the dynamic ACL entry is skipped and the deny statement is
>matched
>
>
>
>Any ideas?
>
>
>
>*************************************
>
>
>
>CONFIG:
>
>
>
>username RDP password 0 CISCO
>
>
>
>interface Vlan41
>
> ip access-group REMOTE-DESKTOP in
>
>
>
>ip access-list extended REMOTE-DESKTOP
>
> dynamic RDP permit tcp any host 164.1.7.100 eq 3389
>
> deny tcp any host 164.1.7.100 eq 3389 log
>
> permit ip any any
>
>
>
>line vty 0 4
>
> password cisco
>
> login local
>
> autocommand ACCESS-ENABLE HOST TIMEOUT 10
>
>
>
>****************************************
>
>
>
>AFTER TELNETING TO THE DEVICE WITH THE DYNAMIC ACL
>
>AND AUTHENTICATING CORRECTLY
>
>
>
>SHOW IP ACCESS:
>
>
>
>Extended IP access list REMOTE-DESKTOP
>
> 10 Dynamic RDP permit tcp any host 164.1.7.100 eq 3389
>
>---------THE DYNAMIC ACL IS BUILT
>
> 10 permit tcp host 150.1.4.4 host 164.1.7.100 eq 3389
>
>---------
>
> 20 deny tcp any host 164.1.7.100 eq 3389 log (1 match)
>
> 30 permit ip any any (314 matches)
>
>
>
>AFTER TRYING TO TELNET TO 164.1.7.100 ON PORT 3389
>
>I CAN SEE FROM THE LOGS THAT THE DYNAMIC ACL DOESN'T TAKE EFFECT
>
>AND THE TRAFFIC IS STOPPED BY THE SEQUENCE 20 LINE
>
>
>
>20:49:56: %SEC-6-IPACCESSLOGP: list REMOTE-DESKTOP denied tcp
>150.1.4.4(62889) -> 164.1.7.100(3389), 1 packet
>
>
>
>Thanks
>
>
>
>Simon.
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>

---------------------------------------------
Free POP3 Email from www.Gawab.com
Sign up NOW and get your account @gawab.com!!

• Next message: Uchil Perera: "Re: ip accounting for NAT"
• Previous message: Allan: "Re: Certification"
• Maybe in reply to: Simon Grace: "Lock and Key ACL"
• Next in thread: Farrukh Haroon: "Re: Lock and Key ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:18 ART