GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Please help with Terminal Server posted 06/07/2007
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


In my lab environment, I configure an ACL to block that traffic.

ip access-list extended block20xx
 deny   tcp any host xxx.xxx.xxx.xxx range 2066 2097
 permit ip any any

then apply it to the interface

int f0/0
 ip access-group block20xx in

you can try to use your DOS prompt to try to telnet to those ports and
use show ip access-list block20xx to verify that.

-BQ

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
Ronnie Higginbotham
Sent: 28 May, 2007 7:49 PM
To: nhatphuc; Ronnie Higginbotham; Cisco certification
Subject: Re: Please help with Terminal Server

In a real world you would more than likely apply aaa to all devices.
Which 
will require you to authenticate on r1 once you reverse telnet to it. 
Depending on how the remote router AAA is configured.

Ronnie


----- Original Message ----- 
From: "nhatphuc" <nhatphuc@xxxxxxxxx>
To: "Ronnie Higginbotham" <rhigginb@xxxxxxxxxx>; "Cisco certification" 
<ccielab@xxxxxxxxxxxxxx>
Sent: Sunday, May 27, 2007 11:04 PM
Subject: Re: Please help with Terminal Server


> Hi Ronnie,
>
> With the second test, I "reverse" telnet directly into devices through
> TS from a PC, the command is: c:\> telnet terminal_server 2001
>
> This bring me directly to the router on line 2001 without
authentication.
>
> How can I prevent this?
>
> Phuc
>
> On 5/28/07, Ronnie Higginbotham <ronniepaul@xxxxxxxxxxx> wrote:
>> Just so I understand you have already telneted into your
access/terminal
>> server and then typed telnet r1 which takes you to router 1 which now
has 
>> no
>> re-authentication applied to the line port.
>>
>> Then as a second test you then retelneted into your access/terminal 
>> server
>> typed your username and password. Once authenticated you typed telnet
>> terminal_server 2001? Which does the same thing as above 2001 will
equal 
>> r1.
>> So in summary the answer to your question will be no there is no way
to
>> prevent this.
>>
>> Ronnie
>>
>> ----- Original Message -----
>> From: "nhatphuc" <nhatphuc@xxxxxxxxx>
>> To: "Ronnie Higginbotham" <rhigginb@xxxxxxxxxx>; "Cisco
certification"
>> <ccielab@xxxxxxxxxxxxxx>
>> Sent: Sunday, May 27, 2007 12:56 PM
>> Subject: Re: Please help with Terminal Server
>>
>>
>> > Hi Ronnie,
>> >
>> > This will disable authentication when I reverse telnet.
>> >
>> > But if I telnet directly to tty line like this: telnet
terminal_server
>> > 2001, the terminal server will let me in without asking for the
>> > username/password.
>> >
>> > Is there anyway to prevent this?
>> >
>> > Thanks
>> >
>> > Phuc
>> >
>> > On 5/27/07, Ronnie Higginbotham <ronniepaul@xxxxxxxxxxx> wrote:
>> >> Phuc,
>> >>
>> >> Try this
>> >>
>> >> aaa authentication login NONE none
>> >>
>> >> line 1 16 <<<<Port numbers could vary
>> >>  login authentication NONE
>> >>
>> >> Ronnie
>> >> CCIE 13834
>> >>
>> >> ----- Original Message -----
>> >> From: "nhatphuc" <nhatphuc@xxxxxxxxx>
>> >> To: "Darby Weaver" <darbyweaver@xxxxxxxxx>; "Cisco certification"
>> >> <ccielab@xxxxxxxxxxxxxx>
>> >> Sent: Saturday, May 26, 2007 1:51 PM
>> >> Subject: Re: Please help with Terminal Server
>> >>
>> >>
>> >> > Hi Darby,
>> >> >
>> >> > I can configure this with ACS Server using tacacs+ autocommand
AV
>> >> > pair. But I want to disable some messages and extra
authentication
>> >> > when reverse telnetting to router. I've asked this in separate 
>> >> > mails.
>> >> >
>> >> > If you know how to do this, please help me.
>> >> >
>> >> > Thanks
>> >> >
>> >> > Phuc
>> >> >
>> >> > On 5/26/07, nhatphuc <nhatphuc@xxxxxxxxx> wrote:
>> >> >> HI Darby,
>> >> >>
>> >> >> I've just seen it here:
>> >> >>
>> >> >> http://www.internetworkexpert.com/resources/termserv.htm
>> >> >>
>> >> >> Phuc
>> >> >>
>> >> >>
>> >> >> On 5/26/07, Darby Weaver <darbyweaver@xxxxxxxxx> wrote:
>> >> >> > Did you see this on a lab recently?
>> >> >> >
>> >> >> > Out of my experience - I have not enabled aaa for term
>> >> >> > servers at home to try it out.
>> >> >> >
>> >> >> > What do you get?
>> >> >> >
>> >> >> > If the option exists then that would likely be the
>> >> >> > one.
>> >> >> >
>> >> >> > Darby
>> >> >> > --- nhatphuc <nhatphuc@xxxxxxxxx> wrote:
>> >> >> >
>> >> >> > > Hi Darby,
>> >> >> > >
>> >> >> > > It works if I configure:
>> >> >> > >
>> >> >> > > line vty 0 4
>> >> >> > > login local
>> >> >> > >
>> >> >> > > But it doesn't if:
>> >> >> > >
>> >> >> > > aaa new-model
>> >> >> > > aaa authentication login TELNET local
>> >> >> > > line vty 0 4
>> >> >> > > login authentication TELNET
>> >> >> > >
>> >> >> > > Do I have to enable aaa authorization reverse-access
>> >> >> > > TELNET?
>> >> >> > >
>> >> >> > > Thanks
>> >> >> > >
>> >> >> > > Phuc
>> >> >> > >
>> >> >> > >
>> >> >> > >
>> >> >> > > On 5/26/07, Darby Weaver <darbyweaver@xxxxxxxxx>
>> >> >> > > wrote:
>> >> >> > > > Let me take a stab at this one:
>> >> >> > > >
>> >> >> > > > username R1 password cisco
>> >> >> > > > username R1 autocommand R1 or Telnet R1
>> >> >> > > >
>> >> >> > > > username All password cisco
>> >> >> > > > username All autocommand x.x.x.x or Telnet x.x.x.x
>> >> >> > > >
>> >> >> > > > username R2 password cisco
>> >> >> > > > username R2 autocommand R2 or Telnet R2
>> >> >> > > >
>> >> >> > > >
>> >> >> > > > line vty 0 4
>> >> >> > > > login local
>> >> >> > > >
>> >> >> > > > Try this and let me know if doesn't work.
>> >> >> > > >
>> >> >> > > > Now you switch R1 for the loopback:2001
>> >> >> > > > And R2 for loopback:2002
>> >> >> > > >
>> >> >> > > > Exchange loopback for whatever IP Address you used
>> >> >> > > for
>> >> >> > > > the reverse telnet IP Address.
>> >> >> > > >
>> >> >> > > >
>> >> >> > > >
>> >> >> > > >
>> >> >> > > > And you could wrap an acl around it and/or perhaps
>> >> >> > > use
>> >> >> > > > SSH depening on if your TS supports SSH.
>> >> >> > > >
>> >> >> > > > Check me on this - since I am shooting from the
>> >> >> > > hip.
>> >> >> > > > There may be one more step, but I this will do
>> >> >> > > what
>> >> >> > > > you require.
>> >> >> > > >
>> >> >> > > > Let use know if I missed anything please.
>> >> >> > > >
>> >> >> > > > Darby
>> >> >> > > >
>> >> >> > > >
>> >> >> > > >
>> >> >> > > >
>> >> >> > > > --- nhatphuc <nhatphuc@xxxxxxxxx> wrote:
>> >> >> > > >
>> >> >> > > > > Hi Group,
>> >> >> > > > >
>> >> >> > > > > I'm setting up my Terminal Server. How do I
>> >> >> > > > > configure for this requirement?
>> >> >> > > > >
>> >> >> > > > > If I login using username all it will connect to
>> >> >> > > > > terminal server
>> >> >> > > > > If I login using username r1 it will connect
>> >> >> > > > > directly to r1
>> >> >> > > > > If I login using username r2 it will connect
>> >> >> > > > > directly to r2
>> >> >> > > > > .....
>> >> >> > > > >
>> >> >> > > > > I'm trying to use username.... autocommand, but
>> >> >> > > it
>> >> >> > > > > doesn't work.
>> >> >> > > > >
>> >> >> > > > > Thanks
>> >> >> > > > >
>> >> >> > > > > Phuc
>> >> >> > > > >
>> >> >> > > > >
>> >> >> > > >
>> >> >> > >
>> >> >> >
_______________________________________________________________________
>> >> >> > > > > Subscription information may be found at:
>> >> >> > > > > http://www.groupstudy.com/list/CCIELab.html
>> >> >> > >
>> >> >> > >
>> >> >> >
_______________________________________________________________________
>> >> >> > > Subscription information may be found at:
>> >> >> > > http://www.groupstudy.com/list/CCIELab.html
>> >> >
>> >> >
_______________________________________________________________________
>> >> > Subscription information may be found at:
>> >> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
_______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>
>
_______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html

_______________________________________________________________________
Subscription information may be found at: 
http://www.groupstudy.com/list/CCIELab.html

This message (including any attachments) contains confidential 
and/or proprietary information intended only for the addressee.  
Any unauthorized disclosure, copying, distribution or reliance on 
the contents of this information is strictly prohibited and may 
constitute a violation of law.  If you are not the intended 
recipient, please notify the sender immediately by responding to 
this e-mail, and delete the message from your system.  If you 
have any questions about this e-mail please notify the sender 
immediately.