Working through the "All-In-One Cisco CCIE Lab Study Guide"
Second Edition by Hutnik & Satterlee, LAB #61 on dynamic access
lists - lock and key I have run in to a segment that I cannot
get to work per the lab and an hoping to get some input.
The lab consists of two routers connected as below.
e0(ra)s0----------------------s0(rb)e0
152.1.1.1 195.1.1.4 195.1.1.10 150.1.1.1
>From my understanding of the lock-and-key, when the user passes
authentication then the user is allowed to telnet through the
interface on which the authentication takes place. In the lab the user, from
router B telnets to router A, int s0 to perform the authentication
process. This part works correctly as the temporary modification to the
access
list is made as shown below.
The second part of the lab is to telnet from router B to int e0,
152.1.1.1 on router A.
This step always concludes with the error message
List#100-tempaccess already contains this IP address pair
[Connection to 152.1.1.1 closed by foreign host]
I have modifed the lab by connecting a third router, rc, to e0
of router A and modifying the access list to allow for the ip of
the new e0 (152.1.1.2). By performing the authentication then
telneting from router B through router A to the new router
everything seems to work correctly.
Any one know why the lock-and-key featuer works when telneting
through routerA to router c, but does not work then telneting to e0 of
router A?
The configs and output from the lab steps are listed below for
those interested.
Thanks
Rick
--------------------------------------------------------------------------------
Access list before performing the authentication ---
labA#sh access-lists
Extended IP access list 100
Dynamic tempaccess permit tcp host 150.1.1.1 host 152.1.1.1 eq telnet log
permit tcp any host 195.1.1.4 eq telnet log (25 matches)
deny ip any any log (58 matches)
BEGIN TEST SEGMENT OF LAB
labB#telnet 195.1.1.4
Trying 195.1.1.4 ... Open
User Access Verification
Username: pcb
Password:
[Connection to 195.1.1.4 closed by foreign host] <--This is
correct to
here.
Access list after performing the authentication --
labA#sh access-lists
Extended IP access list 100
Dynamic tempaccess permit tcp host 150.1.1.1 host 152.1.1.1 eq telnet log
permit tcp host 195.1.1.10 host 152.1.1.1 eq telnet log timeout 5
(time left 295)
permit tcp any host 195.1.1.4 eq telnet log (48 matches)
deny ip any any log (62 matches)
SECOND SEGMENT OF LAB
labB#
labB#telnet 152.1.1.1
Trying 152.1.1.1 ... Open
User Access Verification
Username: pcb
Password:
List#100-tempaccess already contains this IP address pair
[Connection to 152.1.1.1 closed by foreign host]
labB#
----CONFIGS----
ROUTER A CONFIG
labA#sh conf
Using 1078 out of 32762 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname labA
!
enable password cisco
!
username pcb password 0 pcb
username pcb autocommand access-enable timeout 5
ip subnet-zero
ip telnet source-interface Ethernet0
no ip domain-lookup
!
interface Ethernet0
ip address 152.1.1.1 255.255.255.0
no ip directed-broadcast
no keepalive
!
interface Serial0
ip address 195.1.1.4 255.255.255.0
ip access-group 100 in
no ip directed-broadcast
no ip mroute-cache
no fair-queue
!
no ip classless
ip route 150.1.1.0 255.255.255.0 Serial0
!
access-list 100 dynamic tempaccess permit tcp host 150.1.1.1
host 152.1.1.1
eq telnet log
access-list 100 permit tcp any host 195.1.1.4 eq telnet log
access-list 100 deny ip any any log
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
login local
!
end
ROUTER B CONFIG
labB#sh conf
Using 750 out of 32762 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname labB
!
enable password cisco
!
ip subnet-zero
no ip domain-lookup
!
interface Ethernet0
ip address 150.1.1.1 255.255.255.0
no ip directed-broadcast
no keepalive
!
interface Serial0
ip address 195.1.1.10 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
clockrate 500000
!
no ip classless
ip route 152.1.1.0 255.255.255.0 Serial0
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
login
!
end
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=48644&t=48644
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
