Re: Lock and Key

From: Hobbs (deadheadblues@gmail.com)
Date: Tue Sep 09 2008 - 19:31:09 ART

• Next message: Scott Morris: "RE: Cisco vs. Nortel"
• Previous message: Brad Ellis: "OT: Cisco vs. Nortel"
• Maybe in reply to: Mohamed Tandou: "Lock and Key"
• Next in thread: Mohamed Tandou: "Re: Lock and Key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Plus you are already allowing telnet to ANY device with " access-list 101
permit tcp any any eq telnet" The point of lock and key is to DENY it before
you allow it once authenticated.

Your first statement should only allow telnet to the local router:

access-list 101 permit tcp any 192.168.25.6 eq telnet
access-list 101 dynamic ACCESS timeout 10 permit ip any any
access-list 101 deny ip any any

Also, make sure you allow your routing protocols to somewhere in there.

hth

On Tue, Sep 9, 2008 at 1:45 PM, Luca Hall <lhall@setnine.com> wrote:

> you should either remove acl 101's third line or change it
> to deny. that error means that the dynamic acl has already
> added the 'permit ip any any' so it wont add it again.
> just fix your acl 101 and clear the dynamic entry and it
> will go away.
>
>
>
>
> ----- Original Message -----
> From: Mohamed Tandou <dtandou@gmail.com>
> To: ccielab@groupstudy.com
> Sent: Tue, 9 Sep 2008 15:38:36 -0400 (EDT)
> Subject: Lock and Key
>
> Hello GS,
> i am trying to test Lock and Key and it is not working
> I have 3 routers on the same Lan. R4, R5 and R1.
> R4 and R6 are using frame-relay
> I configured Lock and Key on R4 when i telnet from R6 i am getting the
> following errors message below. Any comment ?
>
> Mohamed
>
> R4
> username DYNACL password 0 CISCO
> username DYNACL autocommand access-enable host timeout 5
> interface FastEthernet0
> ip address 192.168.25.6 255.255.255.0
> ip access-group 101 in
> speed auto
>
> access-list 101 permit tcp any any eq telnet
> access-list 101 dynamic ACCESS timeout 10 permit ip any any
> access-list 101 permit ip any any
>
> line vty 0 4
> exec-timeout 30 0
> login local
>
>
> R5#telnet 192.168.25.6
> Trying 192.168.25.6 ... Open
>
> User Access Verification
> Username: DYNACL
> Password:
> % List#101-MYCISCO already contains this IP address pair
> [Connection to 11.11.25.6 closed by foreign host]
> R5#
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Scott Morris: "RE: Cisco vs. Nortel"
• Previous message: Brad Ellis: "OT: Cisco vs. Nortel"
• Maybe in reply to: Mohamed Tandou: "Lock and Key"
• Next in thread: Mohamed Tandou: "Re: Lock and Key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:17 ART