In this article I will configure dynamic complex ACL (Lock and Key). This technique is described during CCNA4 Exploration.
About Lock and Key
Description from the cisco web
Lock-and-key is a traffic filtering security feature that dynamically filters IP protocol traffic. Lock-and-key is using IP dynamic extended access lists. When lock-and-key is configured, designated users whose IP traffic is normally blocked at a router can gain temporary access through the router. When triggered, lock-and-key reconfigures the interface’s existing IP access list to permit designated users to reach their designated host(s). Afterwards, lock-and-key reconfigures the interface back to its original state.
For a user to gain access to a host through a router with lock-and-key configured, the user must first open a Telnet session to the router. When a user initiates a standard Telnet session to the router, lock-and-key automatically attempts to authenticate the user. If the user is authenticated, they will then gain temporary access through the router and be able to reach their destination host.
Topology
In this example I will use following topology emulated inside of the GNS3/Dynagen. Routers will have only basic configuration (IP adresses, names, RIP routing).
|—-FA0/0-(192.168.1.0/24)—-|Left|—-fa1/0—-(1.0.0.0/24)—-sfa0/0—-|Right|—-Fa1/0-(2.0.0.0/8)—-|
GNS3 config
autostart = True
[qemu localhost]
workingdir = C:\Program Files\GNS3\labs\secure-lab_working
udp = 20000
[localhost:7200]
workingdir = C:\Program Files\GNS3\labs\secure-lab_working
udp = 10000
[[2621XM]]
chassis = 2621XM
image = C:\Program Files\Dynamips\images\c2600-adventerprisek9-mz.124-17.image
ram = 128
ghostios = True
sparsemem = True
idlepc = 0x80248674
[[2691]]
image = C:\Program Files\Dynamips\images\c2691-i-mz.123-22.image
idlepc = 0x60559bc8
ghostios = True
sparsemem = True
[[ROUTER R1]]
model = 2691
console = 2007
f0/1 = R7 f0/0
slot1 = NM-1FE-TX
x = -107.0
y = -38.0
[[ROUTER R2]]
model = 2621XM
console = 2008
f0/0 = R6 f0/1
x = 43.0
y = -106.0
[GNS3-DATA]
configs = secure-lab_configs
workdir = secure-lab_working
Basic router configuration
Configuration of the IP addressing and RIP v2 routing, everything works.
Router Left
interface FastEthernet0/0 ip address 192.168.1.11 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 1.0.0.1 255.255.255.0 speed auto half-duplex ! router rip version 2 network 1.0.0.0 network 192.168.1.0 !
Router Right
interface FastEthernet0/0 ip address 1.0.0.2 255.255.255.0 speed auto half-duplex ! interface FastEthernet0/1 ip address 2.0.0.1 255.0.0.0 duplex auto speed auto no keepalive ! router rip version 2 network 1.0.0.0 network 2.0.0.0 !
Configuring Lock and Key ACL
The example target is to unlock traffic for any traffic after telnet login.
I need to define the name of the user which may unlock the ACL
username palo password my_password
Then I will define ACL which consist of three entries, first entry will help pass RIP updates through the interface, next entry defines from which nets users may do telnet login to unlock ACL. Third entry define dynamic ACL entry (template) which will be temporary installed after sucesfull login and executing access autocommand. It allows all IP traffic from any net to pass through the Left router. This entry is ignored tilll lock-and-key is not triggered.
access-list 111 permit udp any any access-list 111 permit tcp any host 1.0.0.1 eq telnet access-list 111 dynamic my_dynamic permit ip any any
There should be defined time period for which the temporary dynamic ACL created like :
access-list 111 dynamic my_dynamic timeout 120 permit ip any any
Next I will configure VTY line to use local authentication and autocommand execution, which will install Dynamic ACL entry after sucesfull telnet login.
line vty 0 4 autocommand access-enable timeout 5 login local
and at last do not forget apply the ACL on the interface
From the web:
In the autocommand command, the timeout is the idle timeout. In this example, each time the user logs in or authenticates there is a 5-minute session. If there is no activity, the session closes in 5 minutes and the user has to reauthenticate. If the user uses the connection, the absolute time takes affect and the session closes in 120 minutes.
After a user opens a Telnet session into the router, the router will attempt to authenticate the user. If authentication is successful, the autocommand executes and the Telnet session terminates. The autocommand creates a temporary inbound access list entry at the Ethernet 0 interface, based on the second access-list entry (mytestlist). This temporary entry will expire after 5 minutes, as specified by the timeout.
Verifying the ACL
Left#sh access-lists
Extended IP access list 111
5 permit udp any any
10 permit tcp any host 1.0.0.1 eq telnet
20 Dynamic my_dynamic permit ip any any
Deleting dynamic ACL entries
Router# clear access-template [access-list-number | name] [dynamic-name] [source] [destination]
or exactly in this example
Left#clear access-template 111 my_dynamic 1.0.0.0 0.255.255.255 any
Functionality testing
- No ACL applied, we will ping the fa 0/0 interface of the Left router
Right#ping 192.168.1.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds: !!!!!
- Without telnet login no connection from the Right router
First we will apply the ACL 111 on the fa0/1 interface of the Left router
Left(config-if)#int fa 0/1 Left(config-if)#ip access-group 111 in
there is no ping reply.
Right#ping 192.168.1.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
Left#sh ip access-lists
Extended IP access list 111
5 permit udp any any
10 permit tcp any host 1.0.0.1 eq telnet
20 Dynamic my_dynamic permit ip any any
3. now i will do telnet login from Right to unlock the ACL. The telnet session will be closed, but dynamic acl entry will be installed.
Right#1.0.0.1 Trying 1.0.0.1 ... Open User Access Verification Username: palo Password: [Connection to 1.0.0.1 closed by foreign host]
the dynamic entry is installed (yellow)
Left#sh ip access-lists
Extended IP access list 111
5 permit udp any any (12 matches)
10 permit tcp any host 1.0.0.1 eq telnet (81 matches)
20 Dynamic my_dynamic permit ip any any
permit ip 1.0.0.0 0.255.255.255 any
ping will be sucesfull
Right#ping 192.168.1.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/39/73 ms Right#
Left#sh ip access-lists
Extended IP access list 111
5 permit udp any any (30 matches)
10 permit tcp any host 1.0.0.1 eq telnet (81 matches)
20 Dynamic my_dynamic permit ip any any
permit ip 1.0.0.0 0.255.255.255 any (15 matches) (time left 264)
if I will clear dynamic entry now, the ping will fail
Left#clear access-template 111 my_dynamic 1.0.0.0 0.255.255.255 any
Right#ping 192.168.1.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
The command review
username palo password my_password access-list 111 permit udp any any access-list 111 permit tcp any host 1.0.0.1 eq telnet access-list 111 dynamic my_dynamic permit ip any any access-list 111 dynamic my_dynamic timeout 120 permit ip any any line vty 0 4 autocommand access-enable timeout 5 login local exit int fa 0/0 ip access-group 111 in