Re: Lock and Key

From: Hobbs (deadheadblues@gmail.com)
Date: Wed Sep 10 2008 - 17:39:35 ART

• Next message: Jacob Armitage: "reverse route injection"
• Previous message: Muhammad Nasim: "Re: OT: Cisco vs. Nortel"
• Maybe in reply to: Mohamed Tandou: "Lock and Key"
• Next in thread: Sadiq Yakasai: "Re: Lock and Key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Try this:

ip access-list extended INBOUND
 permit ospf any any
 permit tcp any any eq bgp
 permit tcp any eq bgp any permit tcp any x.x.x.x (local router interface)
eq telnet
 dynamic ACCESS timeout 10 permit ip any any

You have been allowing telnet from the very beginning so there is no need to
create the Dynamic ACL. Also remember to clear the session when try to
change something. I think the command is "clear access-template"

I wrote a very simple blog here
http://ccietobe.blogspot.com/2008/09/lock-and-key.html

On Wed, Sep 10, 2008 at 12:45 AM, CCIE3000 <ccie3000@googlemail.com> wrote:

> I've only skim read this so I may be talking utter bull but I seem to
> remember that you get a similar message if you telnet to a device activate
> the Dynamic ACL (successfully) and then try and do the same thing again
> (especially when you are using the host key word).
>
> First check that the dynamic acl isn't actually active
> Second try doing the same thing from another router.
>
> On Wed, Sep 10, 2008 at 2:39 AM, Mohamed Tandou <dtandou@gmail.com> wrote:
>
>> Hi Hobbs,
>> i reconfigured my ACL using the config below. i am still getting the same
>> result.
>>
>> Mohamed
>>
>> ip access-list extended INBOUND
>> permit ospf any any
>> permit tcp any any eq bgp
>> permit tcp any eq bgp any
>> permit tcp any any eq telnet
>> dynamic ACCESS timeout 10 permit ip any any
>> deny ip any any
>>
>> On Tue, Sep 9, 2008 at 6:31 PM, Hobbs <deadheadblues@gmail.com> wrote:
>>
>> > Plus you are already allowing telnet to ANY device with " access-list
>> 101
>> > permit tcp any any eq telnet" The point of lock and key is to DENY it
>> before
>> > you allow it once authenticated.
>> >
>> > Your first statement should only allow telnet to the local router:
>> >
>> > access-list 101 permit tcp any 192.168.25.6 eq telnet
>> > access-list 101 dynamic ACCESS timeout 10 permit ip any any
>> > access-list 101 deny ip any any
>> >
>> > Also, make sure you allow your routing protocols to somewhere in there.
>> >
>> > hth
>> >
>> >
>> > On Tue, Sep 9, 2008 at 1:45 PM, Luca Hall <lhall@setnine.com> wrote:
>> >
>> >> you should either remove acl 101's third line or change it
>> >> to deny. that error means that the dynamic acl has already
>> >> added the 'permit ip any any' so it wont add it again.
>> >> just fix your acl 101 and clear the dynamic entry and it
>> >> will go away.
>> >>
>> >>
>> >>
>> >>
>> >> ----- Original Message -----
>> >> From: Mohamed Tandou <dtandou@gmail.com>
>> >> To: ccielab@groupstudy.com
>> >> Sent: Tue, 9 Sep 2008 15:38:36 -0400 (EDT)
>> >> Subject: Lock and Key
>> >>
>> >> Hello GS,
>> >> i am trying to test Lock and Key and it is not working
>> >> I have 3 routers on the same Lan. R4, R5 and R1.
>> >> R4 and R6 are using frame-relay
>> >> I configured Lock and Key on R4 when i telnet from R6 i am getting the
>> >> following errors message below. Any comment ?
>> >>
>> >> Mohamed
>> >>
>> >> R4
>> >> username DYNACL password 0 CISCO
>> >> username DYNACL autocommand access-enable host timeout 5
>> >> interface FastEthernet0
>> >> ip address 192.168.25.6 255.255.255.0
>> >> ip access-group 101 in
>> >> speed auto
>> >>
>> >> access-list 101 permit tcp any any eq telnet
>> >> access-list 101 dynamic ACCESS timeout 10 permit ip any any
>> >> access-list 101 permit ip any any
>> >>
>> >> line vty 0 4
>> >> exec-timeout 30 0
>> >> login local
>> >>
>> >>
>> >> R5#telnet 192.168.25.6
>> >> Trying 192.168.25.6 ... Open
>> >>
>> >> User Access Verification
>> >> Username: DYNACL
>> >> Password:
>> >> % List#101-MYCISCO already contains this IP address pair
>> >> [Connection to 11.11.25.6 closed by foreign host]
>> >> R5#
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Jacob Armitage: "reverse route injection"
• Previous message: Muhammad Nasim: "Re: OT: Cisco vs. Nortel"
• Maybe in reply to: Mohamed Tandou: "Lock and Key"
• Next in thread: Sadiq Yakasai: "Re: Lock and Key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:18 ART