Warning: count(): Parameter must be an array or an object that implements Countable in /homepages/29/d134578137/htdocs/wp-includes/post-template.php on line 284

Warning: count(): Parameter must be an array or an object that implements Countable in /homepages/29/d134578137/htdocs/wp-includes/post-template.php on line 284

Warning: count(): Parameter must be an array or an object that implements Countable in /homepages/29/d134578137/htdocs/wp-includes/post-template.php on line 284

Warning: count(): Parameter must be an array or an object that implements Countable in /homepages/29/d134578137/htdocs/wp-includes/post-template.php on line 284

This is a basic example of a Dynamic ACL by allowing web access to a remote server. What we are doing here is allowing a host (R1’s vlan network) to access a web server ( R2’s vlan network) on a remote box. Again this is basic as it is going to get.

First configure the access-list on R2 for the Dynamic ACL

  • access-list 101 permit tcp any any eq 23 (we need to allow telnet through so we can authenticate. Now we can get away without this line here since we have permit ip any any at the bottom of the ACL. This will all depend on how you have to build out the ACL if you need this or not.)
  • access-list 101 dynamic HTTP permit tcp any any eq 80 (we could specify a specific host that is allowed access here or a subnet but we want to allow anyone that can authenticate for this example.)
  • access-list 101 deny tcp any any eq 80 (Here we are blocking access to anyone that doesn’t authenticate for web traffic.)
  • access-list 101 permit ip any any (Here we are allowing the rest of the incoming traffic in.)

We need to configure login access now. Usually I would authenticate everyone against my active directory, but we will just use local login for this.

  • username r1 password cisco

Need to apply the access-list on the incoming interface.

  • int s0/0
  • ip access-group 101 in

Now we just need to configure the telnet lines

  • line vty 0 4
  • login local
  • autocommand access-enable

Just need to telnet to r2 and authenticate and then we will have access to the web server on the remote end.

This is what our access-list should look like once we have authenticated:

10 permit tcp any any eq telnet (183 matches)
20 Dynamic HTTP permit tcp any any eq www
permit tcp any any eq www (72 matches)
30 deny tcp any any eq www (9 matches)
40 permit ip any any

Notice the line statement under line 20. This is showing that the dynamic acl is active.

If you want to clear the access-list you need to use this command:

clear access-template [access-list-number | name] [dynamic-name] [source] [destination]

Comments

4 Responses to “Configuring Dynamic Access Lists (Lock-and-Key Security)”

  1. aragoen celtdra on July 1st, 2008 10:24 am

    I like the format of this write up! Suitable for your CCIE review but applicable for my CCNA/CCNP-level review.

  2. Daniel Craig on July 8th, 2008 3:59 am

    Hey, I was looking around for a while searching for server security and I happened upon this site and your post regarding ring Dynamic Access Lists (Lock-and-Key Security) | CCIE Journey, I will definitely this to my server security bookmarks!

  3. Ummer on September 30th, 2011 11:38 am

    How to telnet the router on which we have done authentication ?

    In this scenario we telnet router 2 then we are authenticated and we are allowed to telnet/www remote box.

    We want to enter router 2 after authentication.

    Here is our output

    R3#2.1.1.1
    Trying 2.1.1.1 … Open

    User Access Verification

    Username: admin
    Password:
    [Connection to 2.1.1.1 closed by foreign host]
    R3#2.1.1.1
    Trying 2.1.1.1 … Open

    User Access Verification

    Username: admin
    Password:
    % List#111-QQ already contains this IP address pair
    [Connection to 2.1.1.1 closed by foreign host]
    R3#

  4. andyo on April 7th, 2012 10:10 am

    Hi Ummer
    the answer is to apply autocommand access-enable (for temporal creation of entry in dynamic list) on limited vtys (say with rotary command :O)

Leave a Reply