From: Victor Cappuccio (victor@ccbootcamp.com)
Date: Sat Mar 10 2007 - 21:46:16 ART
Hi,
"clear access-template" is the command you are looking for?
Welcome to Network Learning Inc RS/Security/SP Rack#7
For more information, please visit:
http://www.ccbootcamp.com/racks/rs-sec-sp-rack-access-faq.pdf
PLEASE ERASE YOUR CONFIGS AFTER YOU ARE FINISHED!
User Access Verification
Username: victor
Password:
rack7>show user
Line User Host(s) Idle Location
* 66 vty 0 victor idle 00:00:00 66.239.105.148
Interface User Mode Idle Peer Address
rack7>R2
Trying r2 (1.1.1.1, 2034)... Open
R2(config)#ip access-list extended 100
R2(config-ext-nacl)#permit tcp any any eq telnet
R2(config-ext-nacl)# permit ospf any any
R2(config-ext-nacl)# dynamic LOCK_KEY permit icmp any any echo
R2(config-ext-nacl)# deny ip any any
R2(config-ext-nacl)#int f0/0
R2(config-if)#ip access-gr 100 in
!Now from R1 lets try this..
rack7>1
[Resuming connection 1 to R1 ... ]
R1#
R1#
R1#
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
U.U..
Success rate is 0 percent (0/5)
R1#
This is because the ACL is denying that traffic
! R1#telnet 2.2.2.2
Trying 2.2.2.2 ... Open
User Access Verification
Username: ccbootcamp
Password:
R2>access-enable timeout 5
R2>exit
[Connection to 2.2.2.2 closed by foreign host]
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#
!lets see how it is now on R2
R2#show ip access-list
Extended IP access list 100
10 permit tcp any any eq telnet (132 matches)
20 permit ospf any any (16 matches)
30 Dynamic LOCK_KEY permit icmp any any echo
permit icmp any any echo (15 matches) (time left 255)
40 deny ip any any (749 matches)
R2#
R2#show ip access-list
Extended IP access list 100
10 permit tcp any any eq telnet (132 matches)
20 permit ospf any any (16 matches)
30 Dynamic LOCK_KEY permit icmp any any echo
permit icmp any any echo (15 matches) (time left 255)
40 deny ip any any (749 matches)
R2#clear access-template 100 LOCK_KEY any any
R2#show ip access-list
Extended IP access list 100
10 permit tcp any any eq telnet (132 matches)
20 permit ospf any any (19 matches)
30 Dynamic LOCK_KEY permit icmp any any echo
40 deny ip any any (867 matches)
R2#
rack7>1
[Resuming connection 1 to R1 ... ]
R1#
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.U.U.
Success rate is 0 percent (0/5)
R1#
thanks,
Victor Cappuccio.-
Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
Cisco Learning credits!
victor@ccbootcamp.com
http://www.ccbootcamp.com (Cisco Training and Rental Racks)
http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
Voice: 702-968-5100
FAX: 702-446-8012
-----Original Message-----
From: nobody@groupstudy.com on behalf of achievewoo@gmail.com
Sent: Sat 3/10/2007 15:46
To: ccielab@groupstudy.com
Subject: Lock&key
Hi,GS
Here is lock&key question: R1 should go throught and be authenticated by R2
with username (ccie) and password (cisco), then R1 can telnet to other
routers.
I used dynamic access-list in lock&key. So, R1 can telnet to other routers
successfully.
However, I found R1 can not login R2 anymore with the same username and
password.
The output is as follows:
% List#DYNAMIC-DYC already contains this IP address pair
[Connection to 100.100.100.2 closed by foreign host]
Except creating another username and password to allow R1 telnet and login
R2, is there other method to reach the target?
thanks!
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:50 ART