RE: Lock and Key Problem

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Fri Jul 23 2004 - 12:50:27 GMT-3

Add the host option to the access-enable command.

access-enable
To enable the router to create a temporary access list entry in a
dynamic access list, use the access-enable EXEC command.

access-enable [host] [timeout minutes]

Syntax Description
host
(Optional) Tells the software to enable access only for the host from
which the Telnet session originated. If not specified, the software
allows all hosts on the defined network to gain access. The dynamic
access list contains the network mask to use for enabling the new
network.

timeout minutes
(Optional) Specifies an idle timeout for the temporary access list
entry. If the access list entry is not accessed within this period, it
is automatically deleted and requires the user to authenticate again.
The default is for the entries to remain permanently. We recommend that
this value equal the idle timeout set for the WAN connection.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_
reference_chapter09186a00800ca7ba.html#wp1017394

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Phil
Sent: Friday, July 23, 2004 7:12 AM
To: Group Study
Subject: Lock and Key Problem

Hi group,

Has anybody tried to play with lock and key?

I have the configuration below but when I telnet to the router to
authenticate, instead of having an opening in the access-list
permiting from my PC's IP address to any I get a an opening permiting
any any which allow any other hosts in the subnet to have full access.
I tried a couple of different IOS version and get the same result
12.1.1 and 12.3.1 are 2 I remember.

Thanks,

Phil
===========================
rlab_2621c#wr t
Building configuration...

Current configuration : 2215 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname rlab_2621c
!
username phil password 0 test
ip subnet-zero
!
ip dhcp excluded-address 172.16.34.33
ip dhcp excluded-address 172.16.34.65
ip dhcp excluded-address 172.16.34.34
ip dhcp excluded-address 172.16.34.66
!
ip dhcp pool vlan432
   network 172.16.34.32 255.255.255.240
   default-router 172.16.34.33
   dns-server 10.128.1.25
!
ip dhcp pool vlan464
   network 172.16.34.64 255.255.255.240
   default-router 172.16.34.65
   dns-server 10.128.1.25
!
ip audit notify log
ip audit po max-events 100
!
interface FastEthernet0/0
 no ip address
 speed 100
 full-duplex
!
interface FastEthernet0/0.1
 encapsulation isl 416
 ip address 172.16.34.17 255.255.255.240
 ip access-group 101 in
 no ip redirects
!
interface FastEthernet0/0.2
 encapsulation isl 464
 ip address 172.16.34.65 255.255.255.240
 ip access-group 101 in
 no ip redirects
!
interface FastEthernet0/0.3
 encapsulation isl 432
 ip address 172.16.34.33 255.255.255.240
 ip access-group 101 in
 no ip redirects
!
interface BRI0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 172.16.34.1 255.255.255.248
 speed 100
 full-duplex
!
router eigrp 65500
 network 172.16.0.0
 no auto-summary
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.30.3
!
!
access-list 101 dynamic mytest timeout 120 permit ip any any
access-list 101 permit tcp any host 172.16.34.17 eq telnet
access-list 101 permit tcp any host 172.16.34.65 eq telnet
access-list 101 permit tcp any host 172.16.34.33 eq telnet
access-list 101 permit udp any any eq bootpc
access-list 101 permit udp any any eq bootps
!
line con 0
 password cisco
line aux 0
line vty 0 4
 password cisco
 login local
 autocommand access-enable timeout 5
!
end

rlab_2621c#

This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:12:01 GMT-3