I was wondering if I could bounce this off you guys. Doing Lab 34 (IOS
Firewall). Configuring Lock&Key but it doesn't seem to work. Using same
command set as in Lab 17 Enterprise Security. Is Lab34 not a good lab to do as
there are many mistakes?
1. Can Lock&Key work with SSH? Was trying to test it with SSH
R1, R7, R9 on same VLAN 1256.
//R7 is my access server that will permit the unlock username/password. R1
should fail the telnet request to R7. R9 must authenticate to R7 with the
unlock/ccie credentials which will trigger the dynamic ACL line 20. The
problem is that the dynamic line does not show permit ip any any, it shows
permit ip host 9.9.156.9 any so other routers cannot authenticate to R7 at this
point.
access-list 102 permit tcp host 9.9.156.9 any
access-list 102 DYNAMIC TELNET permit ip any any
access-list 102 deny tcp any host 10.0.7.7
access-list 102 deny tcp any host 9.9.111.7
access-list 102 deny tcp any host 7.7.7.7
access-list 102 permit ip any any
!
int fa0/1.78
ip access-g 102 in
!
//When using this ACL, the dynamic permit line is below. It should be a permit
ip any any so other routers can telnet to it.
R7(config-ext-nacl)#do sh access-l
Extended IP access list 102
10 permit tcp host 9.9.156.9 any (34 matches)
20 Dynamic TELNET permit ip any any
permit ip host 9.9.156.9 any
25 deny tcp any any (1 match)
30 deny tcp any host 10.0.7.7
40 deny tcp any host 9.9.111.7
50 deny tcp any host 7.7.7.7
60 permit ip any any (209 matches)
Until I do this and put a line "25 deny tcp any any", it denies the telnet
request. Thought process was that if I can deny the telnet request, once I
unlock from R9, it will create the dynamic entry higher in the list to permit
ip any any
R7(config-ext-nacl)#do sh access-list
Extended IP access list 102
10 permit tcp host 9.9.156.9 any log
20 Dynamic TELNET permit ip any any
25 deny tcp any any
30 deny tcp any host 10.0.7.7
40 deny tcp any host 9.9.111.7
50 deny tcp any host 7.7.7.7
60 permit ip any any (1271 matches)
R1#tel 9.9.156.7
Trying 9.9.156.7 ...
% Destination unreachable; gateway or host down
R9(config-if)#do tel 9.9.156.7
Trying 9.9.156.7 ... Open
User Access Verification
Username: unlock
Password:
[Connection to 9.9.156.7 closed by foreign host]
R7(config-ext-nacl)#do sh ip int brie
Interface IP-Address OK? Method Status
Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 10.0.7.7 YES NVRAM up up
FastEthernet0/1.78 9.9.156.7 YES NVRAM up up
FastEthernet0/1.111 9.9.111.7 YES NVRAM up up
Serial0/0/0 unassigned YES NVRAM administratively down down
NVI0 10.0.7.7 YES unset up up
Loopback0 7.7.7.7 YES NVRAM up up
R7(config-subif)#do sh run | i user
username unlock password 0 ccie
username unlock autocommand access-enable host timeout 2
username ccie password 0 ccie
R7(config-subif)#do sh run | s vty
line vty 0 4
login local
transport input telnet ssh
R1#tel 9.9.156.7
Trying 9.9.156.7 ... Open
User Access Verification
Username:
_______________________________________________
Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::
iPexpert on YouTube: www.youtube.com/ipexpertinc
