Creating a dynamic ACL is a two-step process that includes building or modifying an ACL that will be applied to a router interface, and then configuring the virtual terminal access to support the feature.
PARTII
Figure 5-3 Simple example of lock-and-key access
The Dynamic ACL Statements The dynamic access list feature is an option for both numbered and named extended access lists for TCP, UDP, ICMP, and IGMP traffic.
The [dynamicdynamic-name[timeoutminutes]] options precedes the {permit | deny}
choice.
The basic syntax for a numbered ACL would be the following:
Router(config)#access-listacl#[dynamicdynamic-name[timeoutminutes]]
{permit | deny}protocol|protocol-keyword}{source wildcard| any} [operator source-port] {destination wildcard| any} [operator destination-port] [precedence precedence] [tostos] [log | log-input] [options]
The basic syntax for a named ACL would be as follows:
Router(config)#ip access-list extendedname
Router(config-ext-nacl)#[dynamicdynamic-name[timeoutminutes]]{permit | deny}{protocol|protocol-keyword}{source wildcard| any} [operator source-port]
{destination wildcard| any} [operator destination-port] [precedenceprecedence]
[tostos] [log | log-input] [options]
dynamic Identifies this access list as a dynamic access list, meaning it can create a temporary ACL.
dynamic-name The name of the temporary ACL to be created.
timeoutminutes Specifies the absolute length of time (in minutes) a temporary ACL can exist.
Warning:The default is infinite, which allows an entry to remain permanently until an administrator deletes it. Always set a timeout to close this “hole” in your security.
The following simple example creates a named access list with a dynamic access list statement. Line two allows any host to telnet to the router (IP address 201.5.45.87).
Line three enables a dynamic list entry calledallow-in. The statement allows router access to any IP traffic from the authenticated host or the host network. It also limits the temporary access to 60 minutes, regardless of activity.
Rtr1(config)#ip access-list extended filter-in
Rtr1(config-ext-nacl)#permit tcp any host 201.5.45.87 eq telnet Rtr1(config-ext-nacl)#dynamic allow-in timeout 60 permit ip any any
Because the dynamic ACL will be applied to an interface and because only be one ACL can exist in each direction per protocol, the dynamic statements are typically going to be added to an existing ACL that’s already regulating traffic through that interface.
The Virtual Terminal Statements The [dynamicdynamic-name[timeout min-utes]] options precede the permit | deny choice.
Router(config-line)#autocommand access-enable [host] [timeoutminutes]
autocommand Executes theaccess-enablecommand when a user authenticates through a Telnet session into the router.
access-enable Enables the lock-and-key access feature by enabling the router to create a temporary access list entry in a dynamic access list.
host Limits access to the host that originated the Telnet. If not included, the temporary ACL allows access by all hosts on the network defined by the ACLdynamicstatement network mask.
timeout Specifies anidle timer(in minutes) for the temporary ACL entry. If the temporary ACL statement isn’t accessed within this time period, the statement is deleted and requires the user to authenticate again. The default is for the entries to remain permanently.
The following example creates a single password—cisco—and then enables the dynamic ACL to create a temporary ACL limited to the host that authenticated. If five minutes pass between exchanges, the temporary entry is deleted.
This example could be one solution to the problem in Figure 5-3 to allow an admin-istrator to access the network from home.
Rtr1(config)#username itadmin password cisco Rtr1(config)#ip access-list extended filter-in
Rtr1(config-ext-nacl)#permit tcp any host 199.45.5.7 eq telnet Rtr1(config-ext-nacl)#permit tcp any any established
Rtr1(config-ext-nacl)#permit icmp any any
Rtr1(config-ext-nacl)#dynamic allow-in timeout 60 permit ip any any log Rtr1(config-ext-nacl)#int s0/0
Line 1 defines an acceptable user name/password combination.
Line 11 stipulates that the local database of user names and passwords will be used to authenticate. If multiple user name/password combinations had been configured, any set would be accepted.
Line 3, permit tcp any host 199.45.5.7 eq telnet, allows anyone to access the lock-and-key router. The “any” could be replaced by a host address, permit tcp host 24.12.117.91 host 199.45.5.7 eq telnet, if the admin has a permanent IP address. This reduces the opportunities for outsiders to access the network. Even if it can’t be reduced to a single IP address, a network address and wildcard mask could limit exposure.
Line 6, dynamic allow-in timeout 60 permit ip any any, specifies the temporary ACL will be called allow-in, limits the temporary ACL statements to 60 minutes, and speci-fies the temporary ACL statements will allow any host access to any network for IP traf-fic. If the host option is left off line 12, the temporary ACL will be open to any host in the world. By replacing the first “any” with a network address and a wildcard mask, the ex-posure could be limited. Replacing the last “any” with a host address or a network ad-dress and a wildcard mask, all authenticated access would be limited to the defined
PARTII
address(es). An example of changes to line six could be the following: dynamic allow-in timeout 60 permit ip 24.12.117.0 0.0.0.255 192.168.0.0 0.0.0.255.
Line 12 limits access to only the host address that authenticated and sets the idle timer to five minutes.
Line 10, line vty 0 4, specifies that all five virtual terminal sessions will be configured for lock-and-key. But, what if you have to Telnet into that router for administration pur-poses? The router is going to authenticate us, and then close the Telnet session just like everyone else. The following lines show an alternative that configures virtual lines 0 through 3 (4 total) to lock-and-key while saving the final session, line vty 4, for separate configuration.
The rotary Command Because normal virtual sessions are assigned in round-robin fashion, knowing which session is being accessed is impossible. Therotary 1 com-mand, shown in the example, makes it possible to specify a port number (3001) when setting up the Telnet session, and thereby specify the virtual session. The numbers in the 3000 range are reserved for this purpose, so adding 3000 to a rotary value used will ac-cess the correct line. The Telnet 199.45.5.7 3001 command would acac-cess the vty session 4.
If the rotary statement had been rotary 17, the Telnet command would have used 3017.