RE: Dynamic Access List

From: Aaron Pilcher (apilcher@itgcs.com)
Date: Sun Jul 30 2006 - 18:58:58 ART

• Next message: Ismail AlShelh: "How to use validate-update-source command"
• Previous message: devecchio: "LAB 7 Task 5 and 5.7"
• Maybe in reply to: Sami: "Dynamic Access List"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Here is another spin on it....

Username user1 password pass1
Username user2 password pass2

Username user1 autocommand access-enable %optional things like timeout here%
Username user2 autocommand show version

Access-list 100 permit tcp any host 131.1.23.2 eq telnet
Access-list 100 permit ospf any any
Access-list 100 dynamic LOCKANDKEY permit tcp any any eq telnet

Interface fastethernet 0/0
 Ip access-group 100 in

Line vty 0 4
 Login local

In the above example once a user logs in as "user1" to the above router,
telnet traffic through this device will be permitted, and from what I have
seen immediately logged out.

Also, if the user logs in as "user2" the command "show version" will be
displayed and the user will be also, immediately logged out.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Narbik Kocharians
Sent: Sunday, July 30, 2006 4:38 PM
To: Sami
Cc: ccielab@groupstudy.com
Subject: Re: Dynamic Access List

Here is an example of a dynamic access-list, the external interface's IP
address of your router is 131.1.23.2 and the external host that needs access
to your internal network has an IP address of 2.2.2.2, I hope this helps:

Router(config)#access-list 100 permit tcp any host 131.1.23.2 eq 23

*This access-list is needed so the external users can telnet in, in order to
get authenticated. *

R2(config)#access-list 100 permit ospf any any

*This statement is needed to allow OSPF through (This is just an example)
but if you have other routing protocols running, you should allow that
traffic.*

R2(config)#access-list 100 dynamic TEST permit ip any any

*Note the above statement in the access-list tells the router to create a
dynamic access-list called TEST. This named access-list will be created when
external users telnet to this router and get authenticated. One of the
restrictions in dynamic ACL is that you can only configure one line.*

R2(config)#int s0/0

R2(config-subif)#ip access-group 100 in

*The above command is applying the access-list inbound to S0/0 interface.*

* *

* *

* *

*Lastly the telnet ports must be configured for the dynamic access-list:*

R2(config-subif)#line vty 0 871

R2(config-line)#autocommand ?

  LINE Appropriate EXEC command

  no-suppress-linenumber Display service linenumber message

*Note the access-enable may not show when a question mark is entered.*

R2(config-line)#autocommand access-enable host

R2(config-line)#login local

*The "autocommand" statement links the dynamic access-list to the telnet
authentication. It creates an entry in the dynamic access-list using the
source IP address of the host. If the autocommand is NOT configured, the
dynamic entry will not be created. *

*The second line specifies that authentication should be done using the
local user account database.*

This is the ACL that's created for you:

*On R2*

*Show access-list*

Extended IP access list 100

    10 permit tcp any host 131.1.23.2 eq telnet (207 matches)

    20 permit tcp any host 2.2.2.2 eq telnet

    30 permit ospf any any (175 matches)

    4*0 Dynamic TEST permit ip any any*

* permit ip host 131.1.34.4 any (6 matches)*

The external host's IP address is 2.2.2.2

Note if the timeouts are not specified the entry will be there forever,
unless you clear the dynamic entry using the following command:

R2#clear ip access-template 100 TEST host 131.1.34.4 any

*Note this command has to be entered in the privileged config mode. *

* *

*There are two timeout values, Idle and absolute and they are as follows:*

* *

R2(config)#line vty 0 871

R2(config-line)#autocommand access-enable host timeout 2

*The timeout here defines the idle timeout and it's in minutes.*

*Show ip access-list*

Extended IP access list 100
* *

    10 permit tcp any host 131.1.23.2 eq telnet (381 matches) **

    20 permit tcp any host 2.2.2.2 eq telnet

    30 permit ospf any any (574 matches)

    40 Dynamic TEST permit ip any any

       *permit ip host 131.1.34.4 any (1 match) (time left 95)*

This is the absolute timeout:

R2(config)#access-list 100 dynamic TEST timeout 4 permit ip any any

*This timeout is the absolute or time to live timeout, which defines the
amount of time in minutes a dynamically created access-list, can exist. *

Narbik Kocharians
CCIE# 12410 (R&S, SP, Security)
CCSI# 30832
Network Learning, Inc. (CCIE class Instructor)
www.ccbootcamp.com (CCIE Training)

On 7/30/06, Sami <sy1977@gmail.com> wrote:
>
> Group,
>
> Could some explain when dynamic access list is apllied to vty lines and
> when
> to a user using autocommand ? Another confustion timeout , should it be
> used
> with dynamic access list command or with autocommand when apllying to
> vyt/user.
>
> Could some one post a working config with an example.
>
> Thanks
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Narbik Kocharians
CCIE# 12410 (R&S, SP, Security)
CCSI# 30832
Network Learning, Inc. (CCIE class Instructor)
www.ccbootcamp.com (CCIE Training)

• Next message: Ismail AlShelh: "How to use validate-update-source command"
• Previous message: devecchio: "LAB 7 Task 5 and 5.7"
• Maybe in reply to: Sami: "Dynamic Access List"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:48 ART