Lock and Key

August 7, 2008 at 5:25 pm | Posted in Blogroll, Security | Leave a comment

Lock & key feature dynamically creates ACL allowing additional access after users successfully authenticate via telnet.

Doc CD Navigation

  • Cisco IOS Security Configuration Guide, Release 12.4
  • Part 3: Traffic Filtering, Firewalls, and Virus Detection
  • Configuring Lock-and-Key Security (Dynamic Access Lists)
  • Configuring Lock-and-Key

In the below example, R5 normally can not access R1, as it is behind R4, which blocks all external access, except telnet traffic to its own. However, once telnet is successfully authenticated on R5, additional access is opened via dynamic ACL that permit ip any any. Only at this stage, R5 can telnet or HTTP to R1. The configuration is all on R4.
R4#
!
username cisco password 0 cisco
username cisco autocommand access-enable timeout 5

interface Serial0/0.1 point-to-point
ip access-group 100 in
!
interface Serial0/1
ip access-group 100 in
!
access-list 100 permit tcp any host 150.1.4.4 eq telnet
access-list 100 dynamic DOOR_OPEN timeout 120 permit ip any any
access-list 100 permit ospf any any

line vty 0 4
login local

R5#telnet 150.1.4.1
Trying 150.1.4.1 …
% Destination unreachable; gateway or host down

R5#telnet 150.1.4.4
Trying 150.1.4.4 … Open

User Access Verification

Username: cisco
Password:
[Connection to 150.1.4.4 closed by foreign host]

R5#telnet 150.1.4.1
Trying 150.1.4.1 … Open

R1#exit

R5#telnet 150.1.4.1 80
Trying 150.1.4.1, 80 … Open
/GET
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 06:52:40 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

[Connection to 150.1.4.1 closed by foreign host]

R4#sh access-list
Extended IP access list 100
10 permit tcp any host 150.1.4.4 eq telnet (161 matches)
20 Dynamic DOOR_OPEN permit ip any any
permit ip any any (17 matches) (time left 296)
30 permit ospf any any (198 matches)

Advertisements

Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: