From: Lupi, Guy (Guy.Lupi@xxxxxxxxxxxxx)
Date: Thu Feb 21 2002 - 15:08:07 GMT-3
You can use them to allow traffic that is otherwise denied for a certain
amount of time. The user telnets into the router, authenticates, and then
gets logged out on the execution of the autocommand, and then can transmit
traffic specified in the dynamic entry that is otherwise denied. For
instance, say you have a software developer that needs ip access to a box on
your network 172.168.8.8, but don't want it open unless he authenticates,
and then you want it open for only a short amount of time and to the address
that he authenticates with. You could do a list like this:
interface s0/0
ip addr 172.168.2.8 255.255.255.0
ip access-group 101 in
!
access-list 101 permit tcp any host 172.168.2.8 eq 23
access-list 101 dynamic permitdeveloper timeout 180 permit ip any host
172.168.8.8 ! This is the server
access-list 101 deny ip any host 172.168.8.8
access-list 101 permit tcp any any established
access-list 101 permit udp any any
access-list 101 deny ip any any
!
username frank password cisco
username frank autocommand access-enable host timeout 15
This will allow username frank to telnet in, authenticate, and then the
access list will take the IP address of the device that authenticated and
place that in the any spot of the second line of the list. See below, hth:
r5#ping 172.168.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.168.2.8, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
r5#telnet 172.168.2.8
Trying 172.168.2.8 ... Open
User Access Verification
Username: frank
Password:
[Connection to 172.168.2.8 closed by foreign host]
r5#
r8#sh access-list 101
Extended IP access list 101
permit tcp any host 172.168.2.8 eq telnet (330 matches)
Dynamic permitdeveloper permit ip any host 172.168.8.8
permit ip host 172.168.2.5 host 172.168.8.8 (10 matches) (time left
881)
permit tcp any any established
permit udp any any
deny ip any any (142 matches)
r8#
r5#ping
Protocol [ip]:
Target IP address: 172.168.8.8
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.168.1.5
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.168.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r5#ping
Protocol [ip]:
Target IP address: 172.168.8.8
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.168.2.5
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.168.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
r5#
-----Original Message-----
From: Williams, Glenn [mailto:WILLIAMSG@PANASONIC.COM]
Sent: Thursday, February 21, 2002 12:15 PM
To: 'ccielab@groupstudy.com'
Subject: Dynamic Access Lists
Hi,
I can't seem to see a reason to use dynamic access lists. Initial examples
I see show telnet access, limited to a window period and then authenticated
before access. Except for the window period, I can do all that with just a
normal access list, access class and login local. Just started looking at
these. Any input?
TIA
GW
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 13:46:29 GMT-3