Lock and Key - not working

From: Jason Cash (cash2001@swbell.net)
Date: Sun Apr 06 2003 - 20:57:48 GMT-3

I am having difficulty in config'ing lock and key security. I keep
getting this error:
 
3550#telnet 172.168.60.1
Trying 172.168.60.1 ... Open
 
 
User Access Verification
 
Username: ccie
Password:
List#106-telnet already contains this IP address pair
[Connection to 172.168.60.1 closed by foreign host]
 
The requirement is: Allow telnet access to hosts on R6's Ethernet
segment is someone firsts authenticates against R6 via telnet. It
should be simply, but the archive here left the question open. Here is
the config:
 
R6
hostname r6
!
!
username ccie password 0 cisco
username ccie autocommand access-enable HOST timeout 5
!
ip subnet-zero
no ip domain-lookup
!
interface Ethernet0
 ip address 172.168.60.1 255.255.255.0
!
interface Serial1
 bandwidth 64
 ip address 172.168.100.6 255.255.255.0
 ip access-group 106 in
 encapsulation frame-relay
 ip ospf network point-to-multipoint
 frame-relay interface-dlci 605
!
access-list 106 permit tcp any 172.168.60.0 0.0.0.255 eq telnet
access-list 106 dynamic telnet timeout 5 permit tcp any 172.168.60.0
0.0.0.255 eq telnet log
access-list 106 permit ip any any
!
line con 0
 session-timeout 120
 exec-timeout 60 0
 length 30
line aux 0
 transport input all
line vty 0 4
 login local
!
end
 
 
Now I have tried just about everything on the dynamic list as wee as to
auto command such as:
 
access-list 106 permit tcp any 172.168.60.0 0.0.0.255 eq telnet
access-list 106 dynamic telnet timeout 5 permit tcp any any
access-list 106 permit ip any any
 
username ccie autocommand access-enable timeout 5
 
Upon logging in, I see the dynamic list created, but it WILL NOT LET ME
IN:
r6#sh access-list BEFORE TELNETTING (with host on autocommand)
Extended IP access list 106
    permit tcp any 172.168.60.0 0.0.0.255 eq telnet (616 matches)
    Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
    permit ip any any (205 matches)
 
r6#sh access-list AFTER TELNETTING (with host on autocommand)
Extended IP access list 106
    permit tcp any 172.168.60.0 0.0.0.255 eq telnet (662 matches)
    Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
      permit tcp host 137.50.50.50 172.168.60.0 0.0.0.255 eq telnet log
    permit ip any any (205 matches)
 
 
r6#sh access-list
Extended IP access list 106 BEFORE TELNETTING
    permit tcp any 172.168.60.0 0.0.0.255 eq telnet (672 matches)
    Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
    permit ip any any (227 matches)
r6#sh access-list
Extended IP access list 106
    permit tcp any 172.168.60.0 0.0.0.255 eq telnet (716 matches)
    Dynamic telnet permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
      permit tcp any 172.168.60.0 0.0.0.255 eq telnet log
    permit ip any any (227 matches)

This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:47 GMT-3