Here is the example I am following, pretty much to a T, except I am doing BGP for routing protocol and the topology is different.
Lock-and-Key: Dynamic Access Lists
Here is my topology:
[R1]----[R2]----[R3]
The goal is to prevent R1 from telnetting to R3 (172.12.23.3) unless it has authenticated to R2 first, via telnet. All configuration is on R2, but remember to configure your vty on R3.
First create a username and password on R2
R2(config)#username test password test
Next setup the router to allow access once telnet session is established:
R2(config)#line vty 0 4
R2(config-line)#autocommand access-enable
R2(config-line)#login local
Next create and apply the the ACL. Note that I am using BGP for a routing protocol and I need to allow that before anything else is configured.
R2(config)#access-list 120 permit tcp any any eq bgp
R2(config)#access-list 120 permit tcp any eq bgp any eq bgp
R2(config)#access-list 120 dynamic testlist timeout 15 permit ip any any
R2(config)#access-list 120 permit tcp any host 172.12.12.2 eq telnet
R2(config)#int s1/0
R2(config-if)#ip access-group 120 in
Let's try to telnet to R1 from R3:
R1#telnet 172.12.23.3
Trying 172.12.23.3 ...
% Destination unreachable; gateway or host down
R1#
Now let's telnet to R2 first, notice that our session gets dropped immediately:
R1#telnet 172.12.12.2
Trying 172.12.12.2 ... Open
User Access Verification
Username: test
Password:
[Connection to 172.12.12.2 closed by foreign host]
R1#
Now let's try and telnet to R3:
R1#telnet 172.12.23.3
Trying 172.12.23.3 ... Open
User Access Verification
Password:
R3>
Perfect! Some things to remember about lock and key are:
1) always allow your routing protocol at the top (lines 1 and 2 of the ACL)
2) allow telnet to the local router interface (line 4 of the above ACL)
Sunday, September 7, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.