Re: Help required - IEWB Lab 10: 8.1 Dynamic access-list from Usha Rani on 2009-07-01 (Ccielab archives 07/2009)

From: Usha Rani <usha2bccie_at_gmail.com>
Date: Wed, 1 Jul 2009 23:52:38 +0530

Sorry...setup is something like this:

                  R4 SW3
                  | /
     vlan41 | /
                  | / (layer-2)
                  | /fa1/7
                SW1 ----------------------------SW4
                 | fa1/13 (Layer-3) |
              vlan7
Question:
* one of network admins would like to access a Windows 2000 server, located
in Vlan7 that is running remote desktop connection.
  However, your security team does not want to allow this service to be open
to the entire network/ As an alternative solution to leaving the service
open,
  security team has suggested that SW1 be used to authenticate users prior
to allowing them to connect to the server using remote desktop.
* configure your network so that your admin must authenticate to SW1 using
the username RDP and the password CISCO, prior to using remote desktop
connection.
* once he has authenticated to SW1, he alone should be able to access the
server in this manner:
  -Windows server's ip address is 164.1.7.100
  - remote desktop connection is listening at the default TCP port of 3389
* To avoid a hijacking of the user's active session, ensure that they must
re-authenticate to SW 1 every 10 minutes
SOLUTION:
=========
SW1#

username RDP password 0 CISCO
int vlan41
ip access-group REMOTE_DESKTOP in
ip access-list extended REMOTE_DESKTOP
dynamic RDP permit tcp any host 164.1.7.100 eq 3389
deny tcp any host 164.1.7.100 eq 3389
permit ip any nay
line vty 0 4
login local
autocommand access-enable host timeout 10

>
> On Wed, Jul 1, 2009 at 9:38 AM, Usha Rani <usha2bccie_at_gmail.com> wrote:
>
>> Hi Experts,
>> I need your help in Internetworkexpert Dynamips Volume II, Lab 10, Topic
>> 8.1
>> (Dynamic Access-lists)
>>
>> The access-list is applied to the SW1's Vlan41 interface.
>>
>> interface vlan41
>> ip access-group REMOTE_DESKTOP in
>>
>> Then, what about interfaces Fa1/7 and Fa1/3?
>> What if some one tries to come from these 2 interfaces?
>>
>> Any pointers please?
>>
>> Regards,
>> Usha
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 01 2009 - 23:52:38 ART

This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:21 ART