
6.1 and 6.2 Solutions?
Hi,
After doing this task badly I finally got a solution that I thought works based upon a couple of the threads here.
1 - Access-class for all VTY lines to restrict the allowed TCP port access to 23 and 3023
2 - Set the autocommand on the VTY line with port 23 access only.
The problem is if you telnet to port 23 and authenticate with NOC you will trigger the dynamic firewall exception. Task failed!
Has anyone done the work to solve this with aaa to allow only RDP access to port 23 and if so can they post it?
Thanks in advance and here's what I had.
Rack1SW1#sh run | s line vty
line vty 0
access-class VTY0 in
login local
autocommand access-enable host
line vty 1 4
access-class VTY14 in
login local
rotary 23
...
username NOC password 0 CISCO
username RDP password 0 CISCO
Extended IP access list VTY0
10 permit tcp any any eq telnet
Extended IP access list VTY14
10 permit tcp any any eq 3023
Rack1SW1#
Comments
So, are you abstaining from looking at the solutions guide for the lab? [;)]
Ops, have I missed something? Does the SG fulfil the task requirements with regards to only allowing port 23 for vty 0? Access-list 100 is applied to only vty 1 4 that permits 23 and 3023?
Thanks!
The restriction was Telnet at port 23 should be used just for authentication of the RDP firewall exception.
The first VTY line (VTY 0) is left with the autocommand access-enable command. All users that telnet to the router at port 23 will hit this line.
My only hangup would be if two users hit the router simultaneously, would not the second user go to VTY 1 which does not have the auto access enable anymore?
and if you hit port 23 and authenticate as NOC you then activate the access-enable host command?