Lock and Key
August 7, 2008 at 5:25 pm | In Blogroll, Security | Leave a CommentLock & key feature dynamically creates ACL allowing additional access after users successfully authenticate via telnet.
Doc CD Navigation
- Cisco IOS Security Configuration Guide, Release 12.4
- Part 3: Traffic Filtering, Firewalls, and Virus Detection
- Configuring Lock-and-Key Security (Dynamic Access Lists)
- Configuring Lock-and-Key
In the below example, R5 normally can not access R1, as it is behind R4, which blocks all external access, except telnet traffic to its own. However, once telnet is successfully authenticated on R5, additional access is opened via dynamic ACL that permit ip any any. Only at this stage, R5 can telnet or HTTP to R1. The configuration is all on R4.
R4#
!
username cisco password 0 cisco
username cisco autocommand access-enable timeout 5
interface Serial0/0.1 point-to-point
ip access-group 100 in
!
interface Serial0/1
ip access-group 100 in
!
access-list 100 permit tcp any host 150.1.4.4 eq telnet
access-list 100 dynamic DOOR_OPEN timeout 120 permit ip any any
access-list 100 permit ospf any any
line vty 0 4
login local
R5#telnet 150.1.4.1
Trying 150.1.4.1 …
% Destination unreachable; gateway or host down
R5#telnet 150.1.4.4
Trying 150.1.4.4 … Open
User Access Verification
Username: cisco
Password:
[Connection to 150.1.4.4 closed by foreign host]
R5#telnet 150.1.4.1
Trying 150.1.4.1 … Open
R1#exit
R5#telnet 150.1.4.1 80
Trying 150.1.4.1, 80 … Open
/GET
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 06:52:40 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 150.1.4.1 closed by foreign host]
R4#sh access-list
Extended IP access list 100
10 permit tcp any host 150.1.4.4 eq telnet (161 matches)
20 Dynamic DOOR_OPEN permit ip any any
permit ip any any (17 matches) (time left 296)
30 permit ospf any any (198 matches)
No Comments Yet »
Blog at WordPress.com. | Theme: Pool by Borja Fernandez.
Entries and comments feeds.
