[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 226
  • Last Modified:

EIGRP - LOCK & KEY - TEST QUERY

Hi Ive configured 2 routers with a host pc attached on either end of the 2 routers.

My instructions say that I should from host B - 192.168.3.2 'PING' 10.0.0.11 which will be unsuccessfull.  This is correct and expected according to instructions.

It then states from host B - 192.168.3.2 to 'TELNET 192.168.1.2' - I am then prompted to logon and at the same time the system will log me off 'immediately'.  Not sure why even though it was expected according to my instructions...?

On host B 192.168.3.2 - I should repeat 'PING 10.0.0.11' - This ping should be 'SUCCESSFUL' - But it was not..?

What am I not understanding as Im completing these tasks inside the '2min's set on Sanjose1 config, which is supposed the leave the so-called 'Firewall open' for this time...?


sanjose1
vista
0
mikey250
Asked:
mikey250
  • 9
  • 4
3 Solutions
 
FrabbleCommented:
Sanjose1 logs you off immediately because this is the expected action with "autocommand  access-enable".
You've configured it on the vty lines so this will apply for any telnet connection and will stop administrative access for example.
Best to remove it and configure it just for the user which will enable you to set an idle timeout:
username ernie autocommand access-enable host timeout 10

Do you actually have a host 10.0.0.11 configured correctly connected to Ethernet0?
Take the access list off Serial0 and see if you can successfully ping between the 2 hosts first.
0
 
mikey250Author Commented:
Hi Yes Sanjose1 logs off immediately as per my instructions expect..

Yes this is so I can telnet from host: 192.168.3.2

When you say configuring on 'vty lines' will apply for 'any' telnet connection 'and' will 'stop' admin access - I presume you mean as Ive added a 'specific user'?

Best to remove it and configure it just for the user which will enable you to set an idle timeout, not sure what you mean as on 'sanjose1' I added:

line vty 0 4 autocommand access-enable host timeout 2 - ?

I then tried:

line vty 0 4
username ernie autocommand access-enable host timeout 10 - This command was not accepted if this is what you meant.. ?

Yes I have a host: 10.0.0.11 configured correctly ie:
& Yes Vista could ping Sanjose1 and vice versa prior to 'ACL'
Vista can still ping 192.168.3.1
Sanjose1 can still ping 10.0.0.1

Same issue..!
0
 
mikey250Author Commented:
My instructions state that I should expect the following from host 192.168.3.2:

- Ping 10.0.0.11 - This should fail
- Telnet 192.168.1.2 - logon with configured 'username & password' and logs out immediately - correct
- Ping 10.0.0.11 - This shoul be successful this time - but is NOT?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
FrabbleCommented:
Without the access list applied on the interface, from host 192.168.3.2 can you ping 10.0.0.11?
0
 
mikey250Author Commented:
Hi Frabbie,  Yes definately...!!!!  There was no other config in place as it is a blank config except specifically for this scenario....!!!  Everything worked when tested as mentioned earlier except for the 2nd ping attempt that was supposed to be successful..  As per config attached on main thread.

0
 
mikey250Author Commented:
Correction on my last comment...all connections are showing as up/up but obviously I cannot ping from host B direct to host A but can ping the 'Eth' interfaces...and vice versa....!
0
 
FrabbleCommented:
Simply, if you cannot ping host A from host B with the access list taken off then the ping test to confirm that lock and key works with it in place will also fail.

From the details you posted the routes appear OK so I believe there is another issue.
You should be able to ping host A from sanjose1. If this fails then check that host A has the correct IP address and mask. Also check if there is any firewall running on host B that is dropping the incoming pings.

Assuming you get responses to pings from sanjose1, with the access group taken off sanjose1 serial0, you should be able to ping host A from vista. If this fails then check you have a default gateway configured on host A with sanjose1's address 10.0.0.1. If it works then you should be able to successively ping from host B to A.

Put the access group back in place and redo the lock and key test.
0
 
mikey250Author Commented:
Hi Frabbie, last night I 'erase startup' so now I have a completely empty router.  Ive only added the following:

2500 router Im using which used AUI's as the Ethernet interface and it doesnt allow me to add: duplex full or half and auto not in list either..straight-thru dont work obviously....

Config t
hostname VISTA
int Eth0
ip address 10.0.0.1 255.0.0.0
no shut

Host pc
ip address 10.0.0.11 255.0.0.0
sm: 255.255.255.0
dg: 10.0.0.1

I can ping the router from the host pc
I can ping the router Int Eth
I cannot ping the host pc from the router
Ive removed my x-over cable and plugged in the last new one I have but same thing.....
You've got me confused now isnt that right..?

So what is wrong you think
0
 
mikey250Author Commented:
correction :

host pc
ip: 10.0.0.11
sm: 255.0.0.0
dg: 10.0.0.1

still same issue...........!!!!!!!
0
 
mikey250Author Commented:
Hi my apologies yes you were right I switched 'Firewall off' and I can now ping 'host pc from my router'....

My Host XP pc has no configurations on it and this has never happened before and the only thing I can think has happened is that Ive not only installed SP3 Ive also downloaded all the updates so I think this must be an added update that has downloaded for obvious reasons and it would be the 'Network Admin' to allow this in the 'Exceptions' tab for eg.

All good.

I will now configure the rest and test the lock and key now...............:))
0
 
mikey250Author Commented:
Yes it works perfect.........!!!!!:))))))
0
 
mikey250Author Commented:
One more question....if a user from anywhere in the world set their pc to a specific ip address, subnet mask & dg and new the logon details if any set and within whatever time was set to logon, could they then access this?

Unless an ISP blocks specific addresses just like in some Communist type countries...
0
 
FrabbleCommented:
Yes, you should be able to use the above for PCs from anywhere. They wouldn't need to have a fixed address, you could allow for any to your host/network and just rely on the username and password. Obviously you would need to use public addresses and not the private ones used in the test.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 9
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now