Menu Close

Configuring complex dynamic ACL (Lock-and-Key)

In this article I will configure dynamic complex ACL (Lock and Key). This technique is described during CCNA4 Exploration.

About Lock and Key

Description from the cisco web

Lock-and-key is a traffic filtering security feature that dynamically filters IP protocol traffic. Lock-and-key is using IP dynamic extended access lists. When lock-and-key is configured, designated users whose IP traffic is normally blocked at a router can gain temporary access through the router. When triggered, lock-and-key reconfigures the interface’s existing IP access list to permit designated users to reach their designated host(s). Afterwards, lock-and-key reconfigures the interface back to its original state.

For a user to gain access to a host through a router with lock-and-key configured, the user must first open a Telnet session to the router. When a user initiates a standard Telnet session to the router, lock-and-key automatically attempts to authenticate the user. If the user is authenticated, they will then gain temporary access through the router and be able to reach their destination host.

 

Topology

In this example I will use following topology emulated inside of the GNS3/Dynagen. Routers will have only basic configuration (IP adresses, names, RIP routing).

 

|—-FA0/0-(192.168.1.0/24)—-|Left|—-fa1/0—-(1.0.0.0/24)—-sfa0/0—-|Right|—-Fa1/0-(2.0.0.0/8)—-|

 

GNS3 config

autostart = True
[qemu localhost]
    workingdir = C:\Program Files\GNS3\labs\secure-lab_working
    udp = 20000
[localhost:7200]
    workingdir = C:\Program Files\GNS3\labs\secure-lab_working
    udp = 10000
    [[2621XM]]
        chassis = 2621XM
        image = C:\Program Files\Dynamips\images\c2600-adventerprisek9-mz.124-17.image
        ram = 128
        ghostios = True
        sparsemem = True
        idlepc = 0x80248674
    [[2691]]
        image = C:\Program Files\Dynamips\images\c2691-i-mz.123-22.image
        idlepc = 0x60559bc8
        ghostios = True
        sparsemem = True
    [[ROUTER R1]]
        model = 2691
        console = 2007
        f0/1 = R7 f0/0
        slot1 = NM-1FE-TX
        x = -107.0
        y = -38.0
    [[ROUTER R2]]
        model = 2621XM
        console = 2008
        f0/0 = R6 f0/1
        x = 43.0
        y = -106.0
[GNS3-DATA]
    configs = secure-lab_configs
    workdir = secure-lab_working

Basic router configuration

Configuration of the IP addressing and RIP v2 routing, everything works.

 

Router Left

interface FastEthernet0/0
 ip address 192.168.1.11 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 1.0.0.1 255.255.255.0
 speed auto
 half-duplex
!

router rip
 version 2
 network 1.0.0.0
 network 192.168.1.0
!

 

Router Right

interface FastEthernet0/0
 ip address 1.0.0.2 255.255.255.0
 speed auto
 half-duplex
!
interface FastEthernet0/1
 ip address 2.0.0.1 255.0.0.0
 duplex auto
 speed auto
 no keepalive
!
router rip
 version 2
 network 1.0.0.0
 network 2.0.0.0
!

Configuring Lock and Key ACL

The example target is to unlock traffic for any traffic after telnet login.

 

I need to define the name of the user which may unlock the ACL

username palo password my_password

Then I will define ACL which consist of three entries, first entry will help pass RIP updates through the interface, next entry defines from which nets users may  do telnet login to unlock ACL. Third entry define dynamic ACL entry (template) which will be temporary installed after sucesfull login and executing access autocommand. It allows all IP traffic from any net to pass through the Left router. This entry is ignored tilll lock-and-key is not triggered.

access-list 111 permit udp any any 
access-list 111 permit tcp any host 1.0.0.1 eq telnet
access-list 111 dynamic my_dynamic permit ip any any
 

 There should be defined time period for which the temporary dynamic ACL created like :

access-list 111 dynamic my_dynamic timeout 120 permit ip any any

Next I will configure VTY line to use local authentication and autocommand execution, which will install Dynamic ACL entry after sucesfull telnet login.

line vty 0 4
 autocommand  access-enable timeout 5    
 login local 

and at last do not forget apply the ACL on the interface

 

From the web:

 

In the autocommand command, the timeout is the idle timeout. In this example, each time the user logs in or authenticates there is a 5-minute session. If there is no activity, the session closes in 5 minutes and the user has to reauthenticate. If the user uses the connection, the absolute time takes affect and the session closes in 120 minutes.

After a user opens a Telnet session into the router, the router will attempt to authenticate the user. If authentication is successful, the autocommand executes and the Telnet session terminates. The autocommand creates a temporary inbound access list entry at the Ethernet 0 interface, based on the second access-list entry (mytestlist). This temporary entry will expire after 5 minutes, as specified by the timeout.

 

 

Verifying the ACL

Left#sh access-lists 

Extended IP access list 111
    5 permit udp any any
    10 permit tcp any host 1.0.0.1 eq telnet
    20 Dynamic my_dynamic permit ip any any

Deleting dynamic ACL entries

Router# clear access-template [access-list-number | name] [dynamic-name] [source] [destination] 

or exactly in this example

Left#clear access-template 111 my_dynamic 1.0.0.0 0.255.255.255 any

Functionality testing

 

  1. No ACL applied, we will ping the fa 0/0 interface of the Left router
Right#ping 192.168.1.11

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:
!!!!!

 

  1. Without telnet login no connection from the Right router

First we will apply the ACL 111 on the fa0/1 interface of the Left router

Left(config-if)#int fa 0/1
Left(config-if)#ip access-group 111 in

there is no ping reply.

Right#ping 192.168.1.11

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Left#sh ip access-lists
Extended IP access list 111
    5 permit udp any any
    10 permit tcp any host 1.0.0.1 eq telnet
    20 Dynamic my_dynamic permit ip any any

3. now i will do telnet login from Right to unlock the ACL. The telnet session will be closed, but dynamic acl entry will be installed.

Right#1.0.0.1
Trying 1.0.0.1 ... Open

User Access Verification

Username: palo
Password:

[Connection to 1.0.0.1 closed by foreign host]

the dynamic entry is installed (yellow)

Left#sh ip access-lists
Extended IP access list 111
    5 permit udp any any (12 matches)
    10 permit tcp any host 1.0.0.1 eq telnet (81 matches)
    20 Dynamic my_dynamic permit ip any any
       permit ip 1.0.0.0 0.255.255.255 any 

ping will be sucesfull

Right#ping 192.168.1.11

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/39/73 ms
Right#
Left#sh ip access-lists
Extended IP access list 111
    5 permit udp any any (30 matches)
    10 permit tcp any host 1.0.0.1 eq telnet (81 matches)
    20 Dynamic my_dynamic permit ip any any
       permit ip 1.0.0.0 0.255.255.255 any (15 matches) (time left 264)

if I will clear dynamic entry now, the ping will fail

Left#clear access-template 111 my_dynamic 1.0.0.0 0.255.255.255 any
Right#ping 192.168.1.11

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 The command review

username palo password my_password

access-list 111 permit udp any any
access-list 111 permit tcp any host 1.0.0.1 eq telnet
access-list 111 dynamic my_dynamic permit ip any any
access-list 111 dynamic my_dynamic timeout 120 permit ip any any

line vty 0 4
 autocommand  access-enable timeout 5   
 login local
exit
int fa 0/0
ip access-group 111 in
Rate this post

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.