Lock and Key

August 7, 2008 at 5:25 pm | Posted in Blogroll, Security | Leave a comment

Lock & key feature dynamically creates ACL allowing additional access after users successfully authenticate via telnet.

Doc CD Navigation

  • Cisco IOS Security Configuration Guide, Release 12.4
  • Part 3: Traffic Filtering, Firewalls, and Virus Detection
  • Configuring Lock-and-Key Security (Dynamic Access Lists)
  • Configuring Lock-and-Key

In the below example, R5 normally can not access R1, as it is behind R4, which blocks all external access, except telnet traffic to its own. However, once telnet is successfully authenticated on R5, additional access is opened via dynamic ACL that permit ip any any. Only at this stage, R5 can telnet or HTTP to R1. The configuration is all on R4.
username cisco password 0 cisco
username cisco autocommand access-enable timeout 5

interface Serial0/0.1 point-to-point
ip access-group 100 in
interface Serial0/1
ip access-group 100 in
access-list 100 permit tcp any host eq telnet
access-list 100 dynamic DOOR_OPEN timeout 120 permit ip any any
access-list 100 permit ospf any any

line vty 0 4
login local

Trying …
% Destination unreachable; gateway or host down

Trying … Open

User Access Verification

Username: cisco
[Connection to closed by foreign host]

Trying … Open


R5#telnet 80
Trying, 80 … Open
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 06:52:40 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

[Connection to closed by foreign host]

R4#sh access-list
Extended IP access list 100
10 permit tcp any host eq telnet (161 matches)
20 Dynamic DOOR_OPEN permit ip any any
permit ip any any (17 matches) (time left 296)
30 permit ospf any any (198 matches)


Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: