Re: Help required - IEWB Lab 10: 8.1 Dynamic access-list from Lejoe on 2009-07-01 (Ccielab archives 07/2009)

From: Lejoe <styran_at_gmail.com>
Date: Thu, 2 Jul 2009 11:17:28 +1000

Hi,

This might help.
http://forum.internetworkexpert.com/ubbthreads.php/ubb/showflat/Number/14900/page/1#Post14900

Regards

Lejoe

On Thu, Jul 2, 2009 at 4:22 AM, Usha Rani <usha2bccie_at_gmail.com> wrote:

> Sorry...setup is something like this:
>
> R4 SW3
> | /
> vlan41 | /
> | / (layer-2)
> | /fa1/7
> SW1 ----------------------------SW4
> | fa1/13 (Layer-3) |
> vlan7
> Question:
> * one of network admins would like to access a Windows 2000 server, located
> in Vlan7 that is running remote desktop connection.
> However, your security team does not want to allow this service to be open
> to the entire network/ As an alternative solution to leaving the service
> open,
> security team has suggested that SW1 be used to authenticate users prior
> to allowing them to connect to the server using remote desktop.
> * configure your network so that your admin must authenticate to SW1 using
> the username RDP and the password CISCO, prior to using remote desktop
> connection.
> * once he has authenticated to SW1, he alone should be able to access the
> server in this manner:
> -Windows server's ip address is 164.1.7.100
> - remote desktop connection is listening at the default TCP port of 3389
> * To avoid a hijacking of the user's active session, ensure that they must
> re-authenticate to SW 1 every 10 minutes
> SOLUTION:
> =========
> SW1#
>
> username RDP password 0 CISCO
> int vlan41
> ip access-group REMOTE_DESKTOP in
> ip access-list extended REMOTE_DESKTOP
> dynamic RDP permit tcp any host 164.1.7.100 eq 3389
> deny tcp any host 164.1.7.100 eq 3389
> permit ip any nay
> line vty 0 4
> login local
> autocommand access-enable host timeout 10
>
>
> >
> > On Wed, Jul 1, 2009 at 9:38 AM, Usha Rani <usha2bccie_at_gmail.com>
> wrote:
> >
> >> Hi Experts,
> >> I need your help in Internetworkexpert Dynamips Volume II, Lab 10, Topic
> >> 8.1
> >> (Dynamic Access-lists)
> >>
> >> The access-list is applied to the SW1's Vlan41 interface.
> >>
> >> interface vlan41
> >> ip access-group REMOTE_DESKTOP in
> >>
> >> Then, what about interfaces Fa1/7 and Fa1/3?
> >> What if some one tries to come from these 2 interfaces?
> >>
> >> Any pointers please?
> >>
> >> Regards,
> >> Usha
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Jul 02 2009 - 11:17:28 ART

This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:21 ART