Re: Lock and Key

From: Mohamed Tandou (dtandou@gmail.com)
Date: Tue Sep 09 2008 - 20:39:42 ART

• Next message: Antonio Soares: "RE: CCIE SP Mini-Scenarios"
• Previous message: Bill Eyer: "Re: OT: Cisco vs. Nortel"
• Maybe in reply to: Mohamed Tandou: "Lock and Key"
• Next in thread: CCIE3000: "Re: Lock and Key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Hobbs,
i reconfigured my ACL using the config below. i am still getting the same
result.

Mohamed

ip access-list extended INBOUND
 permit ospf any any
 permit tcp any any eq bgp
 permit tcp any eq bgp any
 permit tcp any any eq telnet
 dynamic ACCESS timeout 10 permit ip any any
 deny ip any any

On Tue, Sep 9, 2008 at 6:31 PM, Hobbs <deadheadblues@gmail.com> wrote:

> Plus you are already allowing telnet to ANY device with " access-list 101
> permit tcp any any eq telnet" The point of lock and key is to DENY it before
> you allow it once authenticated.
>
> Your first statement should only allow telnet to the local router:
>
> access-list 101 permit tcp any 192.168.25.6 eq telnet
> access-list 101 dynamic ACCESS timeout 10 permit ip any any
> access-list 101 deny ip any any
>
> Also, make sure you allow your routing protocols to somewhere in there.
>
> hth
>
>
> On Tue, Sep 9, 2008 at 1:45 PM, Luca Hall <lhall@setnine.com> wrote:
>
>> you should either remove acl 101's third line or change it
>> to deny. that error means that the dynamic acl has already
>> added the 'permit ip any any' so it wont add it again.
>> just fix your acl 101 and clear the dynamic entry and it
>> will go away.
>>
>>
>>
>>
>> ----- Original Message -----
>> From: Mohamed Tandou <dtandou@gmail.com>
>> To: ccielab@groupstudy.com
>> Sent: Tue, 9 Sep 2008 15:38:36 -0400 (EDT)
>> Subject: Lock and Key
>>
>> Hello GS,
>> i am trying to test Lock and Key and it is not working
>> I have 3 routers on the same Lan. R4, R5 and R1.
>> R4 and R6 are using frame-relay
>> I configured Lock and Key on R4 when i telnet from R6 i am getting the
>> following errors message below. Any comment ?
>>
>> Mohamed
>>
>> R4
>> username DYNACL password 0 CISCO
>> username DYNACL autocommand access-enable host timeout 5
>> interface FastEthernet0
>> ip address 192.168.25.6 255.255.255.0
>> ip access-group 101 in
>> speed auto
>>
>> access-list 101 permit tcp any any eq telnet
>> access-list 101 dynamic ACCESS timeout 10 permit ip any any
>> access-list 101 permit ip any any
>>
>> line vty 0 4
>> exec-timeout 30 0
>> login local
>>
>>
>> R5#telnet 192.168.25.6
>> Trying 192.168.25.6 ... Open
>>
>> User Access Verification
>> Username: DYNACL
>> Password:
>> % List#101-MYCISCO already contains this IP address pair
>> [Connection to 11.11.25.6 closed by foreign host]
>> R5#
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Antonio Soares: "RE: CCIE SP Mini-Scenarios"
• Previous message: Bill Eyer: "Re: OT: Cisco vs. Nortel"
• Maybe in reply to: Mohamed Tandou: "Lock and Key"
• Next in thread: CCIE3000: "Re: Lock and Key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:17 ART