Re: Limitation in Lock-and-Key Configuration in IOS 12.3??

From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Sat Mar 18 2006 - 10:44:47 GMT-3

Mushtaq - this is the correct operation (you don't need to use the key if already unlocked the door). Now, you should be able to get through the router by whatever method you have in your dynamic ACL. Give it a try again and maybe post your configs too.

Dave Schulz
*** Sent from my Blackberry ***

-----Original Message-----
From: Mushtaq A. Khan <mak.ccie2b@gmail.com>
To: Schulz, Dave <DSchulz@dpsciences.com>
CC: Cisco certification <ccielab@groupstudy.com>
Sent: Fri Mar 17 17:50:53 2006
Subject: Re: Limitation in Lock-and-Key Configuration in IOS 12.3??

 
Dave,
 
You are right, The router took the command when I typed in. It is strange.
Anyway, I have another issue that even though I have both the idle and absolute timeout configured but when I try to open telnet session from the Switch, the first session gets drop which is expected but when I try it second time I get the following message.
 
% List#LOCK_KEY-MYACL already contains this IP address pair
 
I tried it couple of time but no luck.
I remember seeing similar issue with someone in the groupstudy posting but in my case it is not working.

SW2#172.16.8.1
Trying 172.16.8.1 ... Open

User Access Verification

Username: test
Password:
[Connection to 172.16.8.1 closed by foreign host]
SW2#
Rack01TS#1
[Resuming connection 1 to r1 ... ]

R1#sh ip access | beg LOCK
Extended IP access list LOCK_KEY
    10 permit tcp 172.16.8.0 0.0.0.255 host 172.16.8.1 eq telnet (81 matches)
    15 permit ip 172.16.8.0 0.0.0.255 any (21 matches)
    20 Dynamic MYACL permit tcp 172.16.8.0 0.0.0.255 <http://0.0.0.255> any eq telnet
       permit tcp host 172.16.8.8 any eq telnet

SW2#172.16.8.1
Trying 172.16.8.1 ... Open

User Access Verification

Username: test
Password:
% List#LOCK_KEY-MYACL already contains this IP address pair
[Connection to 172.16.8.1 closed by foreign host]
SW2#
Rack01TS#1
[Resuming connection 1 to r1 ... ]

R1#sh ip access | beg LOCK
Extended IP access list LOCK_KEY
    10 permit tcp 172.16.8.0 0.0.0.255 host 172.16.8.1 eq telnet (153 matches)
    15 permit ip 172.16.8.0 0.0.0.255 any (27 matches)
    20 Dynamic MYACL permit tcp 172.16.8.0 0.0.0.255 <http://0.0.0.255> any eq telnet
       permit tcp host 172.16.8.8 any eq telnet

 

Router Configurations:

 
R1#sh run | inc username
username test password 0 cisco
username test autocommand access-enable host timeout 5

 

R1#sh ip access | beg LOCK
Extended IP access list LOCK_KEY
    10 permit tcp 172.16.8.0 0.0.0.255 host 172.16.8.1 eq telnet
    15 permit ip 172.16.8.0 0.0.0.255 any (1 match)
    20 Dynamic MYACL permit tcp 172.16.8.0 0.0.0.255 <http://0.0.0.255> any eq telnet

R1#sh run | beg vty
line vty 0 4
 login local

TIA

 Mushtaq

 
On 3/17/06, Schulz, Dave <DSchulz@dpsciences.com> wrote:

        This should work. However, I have noticed that some of the 12.2
        versions do not show the autocommand access-enable timeout when you do a
        ?. But, it is in there. Go ahead and try it. (similar to the ip pim
        autorp listener command)
        
        
        Dave Schulz,
        Email: dschulz@dpsciences.com
        
        
        
        -----Original Message-----
        From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
        Mushtaq A. Khan
        Sent: Friday, March 17, 2006 3:27 PM
        To: Cisco certification
        Subject: Limitation in Lock-and-Key Configuration in IOS 12.3??
        
        All,
        
        I am having trouble setting idle timeout with the *timeout* keyword in
        the *
        access-enable* command in the *autocommand* command. Is this an IOS
        limitation? I checked the DOC CD for 12.3 configuration and sounds like
        it
        should be supported.
        
        Am I missing anything here? Can any one shed some light on this? Is
        there a
        way I can achieve my goal as mentioned above?
        
        http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
        fsecu
        r_c/ftrafwl/scflock.htm#wp1001063
        
        R1(config)#username test autocommand ?
        LINE Command to be automatically issued after the user logs in
        
        R1(config-line)#autocommand ?
        LINE Appropriate EXEC command
        no-suppress-linenumber Display service linenumber message
        
        
        
        R1#sh ver
        Cisco Internetwork Operating System Software
        IOS (tm) C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.3(5a),
        RELEASE
        SOFTWARE (fc1)
        Copyright (c) 1986-2003 by cisco Systems, Inc.
        Compiled Tue 25-Nov-03 06:00 by kellythw
        Image text-base: 0x80008098, data-base: 0x81FFCCD8
        
        ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE
        (fc1)
        
        R1 uptime is 3 days, 5 hours, 36 minutes
        System returned to ROM by reload
        System restarted at 02:19:26 UTC Tue Mar 14 2006
        System image file is "flash:c2600-adventerprisek9-mz.123-5a.bin"
        
        [....]
        
        
        
        TIA,
        
        Mushtaq
        
        _______________________________________________________________________
        Subscription information may be found at:
        http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:39 GMT-3