Creating a dynamic ACL is a two-step process that includes
building or modifying an ACL that will be applied to a router interface, and
then configuring the virtual terminal access to support the feature.
The Dynamic ACL Statements
The dynamic access list feature is an option for both
numbered and named extended access lists for TCP, UDP, ICMP, and IGMP traffic.
The [dynamic dynamic-name [timeout minutes]] options precedes the {permit | deny} choice.
The basic syntax for a numbered ACL would be the following:
Router(config)#access-list acl# [dynamic dynamic-name [timeout minutes]] {permit | deny} protocol | protocol-keyword}{source wildcard | any} [operator source-port]
{destination wildcard | any} [operator
destination-port] [precedence precedence] [tos tos] [log | log-input] [options]
The basic syntax for a named ACL would be as follows:
Router(config)#ip access-list extended name Router(config-ext-nacl)#[dynamic dynamic-name [timeout minutes]] {permit |
deny}{protocol | protocol-keyword}{source wildcard | any} [operator source-port]
{destination wildcard | any} [operator
destination-port] [precedence precedence] [tos tos] [log | log-input] [options]
The following simple example creates a named access list with a
dynamic access list statement. Line two allows any host to telnet to the router
(IP address 201.5.45.87). Line three enables a dynamic list entry called allow-in. The statement allows router access to any IP traffic
from the authenticated host or the host network. It also limits the temporary
access to 60 minutes, regardless of activity.
Rtr1(config)#ip access-list extended filter-in
Rtr1(config-ext-nacl)#permit tcp any host 201.5.45.87 eq telnet
Rtr1(config-ext-nacl)#dynamic allow-in timeout 60 permit ip any any
Because the dynamic ACL will be applied to an interface and
because only be one ACL can exist in each direction per protocol, the dynamic
statements are typically going to be added to an existing ACL that’s already
regulating traffic through that interface.
The Virtual Terminal Statements
The [dynamic dynamic-name [timeout minutes]] options precede the permit | deny choice.
Router(config-line)#autocommand access-enable [host]
[timeout minutes]
The following example creates a single password—cisco—and then
enables the dynamic ACL to create a temporary ACL limited to the host that
authenticated. If five minutes pass between exchanges, the temporary entry is
deleted.
This example could be one solution to the problem in Figure 5-3
to allow an administrator to access the network from home.
Rtr1(config)#username itadmin password cisco
Rtr1(config)#ip access-list extended filter-in
Rtr1(config-ext-nacl)#permit tcp any host 199.45.5.7 eq telnet
Rtr1(config-ext-nacl)#permit tcp any any established
Rtr1(config-ext-nacl)#permit icmp any any
Rtr1(config-ext-nacl)#dynamic allow-in timeout 60 permit ip any any log
Rtr1(config-ext-nacl)#int s0/0
Rtr1(config-if)#ip address 199.45.5.7 255.255.255.0
Rtr1(config-if)#ip access-group filter-in in
Rtr1(config-if)#line vty 0 4
Rtr1(config-line)#login local
Rtr1(config-line)#autocommand access-enable host timeout 5
Rtr1(config-line)#^Z
Rtr1#
Line 1 defines an acceptable user name/password combination.
Line 11 stipulates that the local database of user names and
passwords will be used to authenticate. If multiple user name/password
combinations had been configured, any set would be accepted.
Line 3, permit tcp any host 199.45.5.7 eq telnet, allows anyone to
access the lock-and-key router. The “any” could be replaced by a host address,
permit tcp host 24.12.117.91 host 199.45.5.7 eq telnet, if the
admin has a permanent IP address. This reduces the opportunities for outsiders
to access the network. Even if it can’t be reduced to a single IP address, a
network address and wildcard mask could limit exposure.
Line 6, dynamic allow-in timeout 60 permit ip any any, specifies
the temporary ACL will be called allow-in, limits the temporary ACL statements
to 60 minutes, and specifies the temporary ACL statements will allow any host
access to any network for IP traffic. If the host option is left off line 12,
the temporary ACL will be open to any host in the world. By replacing the first
“any” with a network address and a wildcard mask, the exposure could be limited.
Replacing the last “any” with a host address or a network address and a wildcard
mask, all authenticated access would be limited to the defined address(es). An
example of changes to line six could be the following: dynamic allow-in timeout
60 permit ip 24.12.117.0 0.0.0.255 192.168.0.0 0.0.0.255.
Line 12 limits access to only the host address that authenticated
and sets the idle timer to five minutes.
Line 10, line vty 0 4, specifies that all five virtual terminal
sessions will be configured for lock-and-key. But, what if you have to Telnet
into that router for administration purposes? The router is going to
authenticate us, and then close the Telnet session just like everyone else. The
following lines show an alternative that configures virtual lines 0 through 3 (4
total) to lock-and-key while saving the final session, line vty 4, for separate
configuration.
!
line vty 0 3
login local
autocommand access-enable host timeout 10
line vty 4
password cisco
login
rotary 1
The rotary Command
Because normal virtual sessions are assigned in round-robin
fashion, knowing which session is being accessed is impossible. The rotary 1 command, shown in the example, makes it possible to
specify a port number (3001) when setting up the Telnet session, and thereby
specify the virtual session. The numbers in the 3000 range are reserved for this
purpose, so adding 3000 to a rotary value used will access the correct line. The
Telnet 199.45.5.7 3001 command would access the vty session 4. If the rotary
statement had been rotary 17, the Telnet command would have used
3017.
Sections
Comments (0 posted)
Syndication
