Wonderfull!!!!!!!!!!! GREATTTT
Kent U solved my problem......
Thanks a lot!!!!!!!
>From: "Kent Hundley"
>Reply-To: "Kent Hundley"
>To: [EMAIL PROTECTED]
>Subject: RE: IPSEC Challenge Problem [7:17844]
>Date: Thu, 30 Aug 2001 17:03:25 -0400
>
>The problem is most likely your access-lists. You need to create an acl
>that allows telnet traffic from A to B and the return traffic from B to A:
>
>For telnet from A to B:
>
>on A: access-list 101 permit host A gt 1023 host B eq 23
>on B: access-list 101 permit host B eq 23 host A gt 1023
>
>(create reverse images of these entries for telnet from B to A)
>
>Note that the acl's on B and A are "mirror images" of each other, as stated
>in the Cisco docs.
>
>You need to remember that the source port for a client initiating telnet is
>a randomly chosen port above 1023.
>
>You don't _have_ to list the 'gt 1023', but when using acl's for IPSec I
>like to specify both src and dst ports if possible for consistency.
>
>HTH,
>Kent
>
>
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
>Cisco Lover
>Sent: Thursday, August 30, 2001 4:21 AM
>To: [EMAIL PROTECTED]
>Subject: IPSEC Challenge Problem [7:17844]
>
>
>Guys,
>
>The objective of the problem I m going to explain you is to encrypt ONLY
>TELNET traffic b/w these two routers.
>
>THe main problem I m facing is that IM not able to do this by implementing
>specific host lists that permits only telnet traffic from one to another
>host..Like
>
>access-list 101 permit tcp host A host B eq telnet.
>
>The only way I can run this is by using normal list allowing complete
>traffic b/w these two hosts.Please have a look and let me know if u find
>any
>problem in my config.
>
>Thanks.
>
>ISDN1#sh crypto engine connections ac
>ISDN1#sh crypto engine connections active
>
> ID Interface IP-Address State Algorithm Encrypt
>Decrypt
>
> 1 set HMAC_MD5+DES_56_CB 0
> 0
>
> 2 set HMAC_MD5+DES_56_CB 0
> 0
>
>2000 Serial0/0 135.25.11.1 set HMAC_MD5+DES_56_CB 0
> 54
>
>2001 Serial0/0 135.25.11.1 set HMAC_MD5+DES_56_CB 40
> 0
>
>
>ISDN1#sh run
>Building configuration...
>
>Current configuration:
>!
>version 12.0
>service timestamps debug uptime
>service timestamps log uptime
>no service password-encryption
>!
>hostname ISDN1
>!
>enable password cisco
>!
>!
>!
>!
>!
>memory-size iomem 7
>ip subnet-zero
>ip telnet source-interface Loopback0
>no ip domain-lookup
>!
>isdn voice-call-failure 0
>cns event-service server
>!
>!
>!
>!
>crypto isakmp policy 10
>hash md5
>authentication pre-share
>crypto isakmp key hello address 135.25.11.2 255.255.255.255
>crypto isakmp key hello address 135.25.3.1 255.255.255.255
>!
>!
>crypto ipsec transform-set cisco esp-des esp-md5-hmac
>!
>!
>crypto map CCIE local-address Loopback0
>crypto map CCIE 10 ipsec-isakmp
>set peer 135.25.11.2
>set peer 135.25.3.1
>set transform-set cisco
>match address 101
>!
>!
>!
>!
>interface Loopback0
>ip address 135.25.4.1 255.255.255.255
>no ip directed-broadcast
>!
>interface FastEthernet0/0
>no ip address
>no ip directed-broadcast
>shutdown
>duplex auto
>speed auto
>!
>interface Serial0/0
>ip address 135.25.11.1 255.255.255.0
>no ip directed-broadcast
>no ip mroute-cache
>no fair-queue
>crypto map CCIE
>!
>interface BRI0/0
>no ip address
>no ip directed-broadcast
>shutdown
>isdn guard-timer 0 on-expiry accept
>!
>interface FastEthernet0/1
>no ip address
>no ip directed-broadcast
>shutdown
>duplex auto
>speed auto
>!
>ip classless
>ip route 0.0.0.0 0.0.0.0 135.25.11.2
>no ip http server
>!
>access-list 101 permit ip host 135.25.4.1 host 135.25.3.1
>!
>!
>voice-port 1/0/0
>!
>voice-port 1/0/1
>!
>voice-port 1/1/0
>!
>voice-port 1/1/1
>!
>!
>!
>line con 0
>password cisco
>transport input none
>line aux 0
>line vty 0 4
>password cisco
>login
>!
>
>
>
>hostname ISDN2
>!
>enable password cisco
>!
>!
>!
>!
>!
>ip subnet-zero
>ip telnet source-interface Loopback0
>no ip domain-lookup
>!
>isdn voice-call-failure 0
>cns event-service server
>!
>!
>crypto isakmp policy 10
>hash md5
>authentication pre-share
>crypto isakmp key hello address 135.25.11.1
>crypto isakmp key hello address 135.25.4.1
>!
>!
>crypto ipsec transform-set cisco esp-des esp-md5-hmac
>!
>!
>crypto map CCIE local-address Loopback0
>crypto map CCIE 10 ipsec-isakmp
>set peer 135.25.11.1
>set peer 135.25.4.1
>set transform-set cisco
>match address 101
>partition flash 2 16 8
>!
>!
>!
>!
>!
>!
>!
>interface Loopback0
>ip address 135.25.3.1 255.255.255.255
>no ip directed-broadcast
>!
>interface Ethernet0/0
>no ip address
>no ip directed-broadcast
>shutdown
>!
>interface Serial0/0
>no ip address
>no ip directed-broadcast
>shutdown
>!
>interface BRI0/0
>no ip address
>no ip directed-broadcast
>shutdown
>isdn guard-timer 0 on-expiry accept
>!
>interface Ethernet0/1
>no ip address
>no ip directed-broadcast
>shutdown
>!
>interface Serial1/0
>no ip address
>no ip directed-broadcast
>shutdown
>!
>interface Serial1/1
>ip address 135.25.11.2 255.255.255.0
>no ip directed-broadcast
>clockrate 64000
>crypto map CCIE
>!
>interface Serial1/2
>no ip address
>no ip directed-broadcast
>shutdown
>!
>interface Serial1/3
>no ip address
>no ip directed-broadcast
>shutdown
>!
>interface Serial1/4
>ip address 135.25.12.1 255.255.255.0
>no ip directed-broadcast
>!
>interface Serial1/5
>no ip address
>no ip directed-broadcast
>shutdown
>!
>interface Serial1/6
>no ip address
>no ip directed-broadcast
>shutdown
>!
>interface Serial1/7
>no ip address
>no ip directed-broadcast
>shutdown
>!
>ip classless
>ip route 0.0.0.0 0.0.0.0 135.25.11.1
>no ip http server
>!
>access-list 101 permit ip host 135.25.3.1 host 135.25.4.1
>!
>!
>line con 0
>exec-timeout 0 0
>password cisco
>transport input none
>line aux 0
>line vty 0 4
>password cisco
>login
>!
>end
>
>ISDN2#
>
>
>
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=18020&t=17844
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
