GNS3 config<\/strong><\/h2>\nautostart = True\n[qemu localhost]\n workingdir = C:\\Program Files\\GNS3\\labs\\secure-lab_working\n udp = 20000\n[localhost:7200]\n workingdir = C:\\Program Files\\GNS3\\labs\\secure-lab_working\n udp = 10000\n [[2621XM]]\n chassis = 2621XM\n image = C:\\Program Files\\Dynamips\\images\\c2600-adventerprisek9-mz.124-17.image\n ram = 128\n ghostios = True\n sparsemem = True\n idlepc = 0x80248674\n [[2691]]\n image = C:\\Program Files\\Dynamips\\images\\c2691-i-mz.123-22.image\n idlepc = 0x60559bc8\n ghostios = True\n sparsemem = True\n [[ROUTER R1]]\n model = 2691\n console = 2007\n f0\/1 = R7 f0\/0\n slot1 = NM-1FE-TX\n x = -107.0\n y = -38.0\n [[ROUTER R2]]\n model = 2621XM\n console = 2008\n f0\/0 = R6 f0\/1\n x = 43.0\n y = -106.0\n[GNS3-DATA]\n configs = secure-lab_configs\n workdir = secure-lab_working\n<\/pre>\nBasic router configuration<\/strong><\/p>\nConfiguration of the IP addressing and RIP v2 routing, everything works.<\/p>\n
<\/p>\n
Router Left<\/strong><\/p>\ninterface FastEthernet0\/0\n ip address 192.168.1.11 255.255.255.0\n duplex auto\n speed auto\n!\ninterface FastEthernet0\/1\n ip address 1.0.0.1 255.255.255.0\n speed auto\n half-duplex\n!\n\nrouter rip\n version 2\n network 1.0.0.0\n network 192.168.1.0\n!<\/pre>\n <\/p>\n
Router Right<\/strong><\/p>\ninterface FastEthernet0\/0\n ip address 1.0.0.2 255.255.255.0\n speed auto\n half-duplex\n!\ninterface FastEthernet0\/1\n ip address 2.0.0.1 255.0.0.0\n duplex auto\n speed auto\n no keepalive\n!\nrouter rip\n version 2\n network 1.0.0.0\n network 2.0.0.0\n!\n<\/pre>\n\n\tConfiguring Lock and Key ACL<\/h2>\n
The example target is to unlock traffic for any traffic after telnet login.<\/p>\n
<\/p>\n
I need to define the name of the user which may unlock the ACL<\/p>\n
username palo password my_password<\/span><\/pre>\nThen I will define ACL which consist of three entries, first entry will help pass RIP updates through the interface, next entry defines from which nets users may do telnet login to unlock ACL. Third entry define dynamic ACL entry (template) which will be temporary installed after sucesfull login and executing access autocommand. It allows all IP traffic from any net to pass through the Left router. This entry is ignored tilll lock-and-key is not triggered.<\/span><\/p>\naccess-list 111 permit udp any any<\/span> \naccess-list 111 permit tcp any host 1.0.0.1 eq telnet<\/span>\naccess-list 111 dynamic my_dynamic permit ip any any<\/span><\/pre>\n\n\t <\/div>\n
There should be defined time period for which the temporary dynamic ACL created like :<\/p>\n
access-list 111 dynamic my_dynamic timeout 120 permit ip any any\n<\/pre>\nNext I will configure VTY line to use local authentication and autocommand execution, which will install Dynamic ACL entry after sucesfull telnet login.<\/p>\n
line vty 0 4\n autocommand access-enable timeout 5 <\/span>\n login local <\/span><\/pre>\nand at last do not forget apply the ACL on the interface<\/p>\n
<\/p>\n
From the web:<\/strong><\/p>\n <\/p>\n
\n\tIn the autocommand<\/span> command, the timeout is the idle timeout. In this example, each time the user logs in or authenticates there is a 5-minute session. If there is no activity, the session closes in 5 minutes and the user has to reauthenticate. If the user uses the connection, the absolute time takes affect and the session closes in 120 minutes. <\/cite><\/p>\n\n\tAfter a user opens a Telnet session into the router, the router will attempt to authenticate the user. If authentication is successful, the autocommand<\/b> executes and the Telnet session terminates. The autocommand<\/b> creates a temporary inbound access list entry at the Ethernet 0 interface, based on the second access-list entry (mytestlist). This temporary entry will expire after 5 minutes, as specified by the timeout. <\/cite><\/p>\n <\/p>\n
<\/p>\n
Verifying the ACL<\/strong><\/p>\nLeft#sh access-lists <\/span>\n\nExtended IP access list 111\n 5 permit udp any any\n 10 permit tcp any host 1.0.0.1 eq telnet\n 20 Dynamic my_dynamic permit ip any any\n<\/pre>\nDeleting dynamic ACL entries<\/strong><\/p>\nRouter# clear access-template<\/b> [access-list-number <\/em>| name<\/em>] [dynamic-name<\/em>] [source<\/em>] [destination<\/em>] <\/span><\/pre>\nor exactly in this example<\/p>\n
Left#clear access-template 111 my_dynamic 1.0.0.0 0.255.255.255 any\n<\/pre>\n\n\tFunctionality testing<\/h2>\n
<\/p>\n
\n- \n\t\tNo ACL applied, we will ping the fa 0\/0 interface of the Left router<\/li>\n<\/ol>\n
Right#ping 192.168.1.11\n\nType escape sequence to abort.\nSending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:\n!!!!!\n\n<\/pre>\n <\/p>\n
\n- \n\t\tWithout telnet login no connection from the Right router<\/li>\n<\/ol>\n
First we will apply the ACL 111 on the fa0\/1 interface of the Left router<\/p>\n
Left(config-if)#int fa 0\/1\nLeft(config-if)#ip access-group 111 in\n<\/pre>\nthere is no ping reply.<\/p>\n
Right#ping 192.168.1.11\n\nType escape sequence to abort.\nSending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:\n.....\nSuccess rate is 0 percent (0\/5)\n\n<\/pre>\nLeft#sh ip access-lists\nExtended IP access list 111\n 5 permit udp any any\n 10 permit tcp any host 1.0.0.1 eq telnet\n 20 Dynamic my_dynamic permit ip any any\n<\/pre>\n3. now i will do telnet login from Right to unlock the ACL. The telnet session will be closed, but dynamic acl entry will be installed.<\/p>\n
Right#1.0.0.1\nTrying 1.0.0.1 ... Open\n\nUser Access Verification\n\nUsername: palo\nPassword:\n\n[Connection to 1.0.0.1 closed by foreign host]\n<\/pre>\nthe dynamic entry is installed (yellow)<\/p>\n
Left#sh ip access-lists\nExtended IP access list 111\n 5 permit udp any any (12 matches)\n 10 permit tcp any host 1.0.0.1 eq telnet (81 matches)\n 20 Dynamic my_dynamic permit ip any any\n permit ip 1.0.0.0 0.255.255.255 any <\/span><\/pre>\nping will be sucesfull<\/p>\n
Right#ping 192.168.1.11\n\nType escape sequence to abort.\nSending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:\n!!!!!\nSuccess rate is 100 percent (5\/5), round-trip min\/avg\/max = 8\/39\/73 ms\nRight#\n<\/pre>\nLeft#sh ip access-lists\nExtended IP access list 111\n 5 permit udp any any (30 matches)\n 10 permit tcp any host 1.0.0.1 eq telnet (81 matches)\n 20 Dynamic my_dynamic permit ip any any\n permit ip 1.0.0.0 0.255.255.255 any (15 matches) (time left 264)\n<\/pre>\nif I will clear dynamic entry now, the ping will fail<\/p>\n
Left#clear access-template 111 my_dynamic 1.0.0.0 0.255.255.255 any\n<\/pre>\nRight#ping 192.168.1.11\n\nType escape sequence to abort.\nSending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:\n.....\nSuccess rate is 0 percent (0\/5)\n<\/pre>\n