NAT Technical Overview

Dynamic Access Lists

A dynamic access list is an access list that allows temporary access after a user has authenticated with the router. For example, in the field, you might want a Cisco engineer from the TAC to help you troubleshoot your network by logging into the routers. A dynamic access list could be created giving Cisco complete privileges for a predetermined amount of time. After a configured time limit expires , the session is closed and traffic is again denied . This form of access list is also referred to as lock-and-key security.

To configure a dynamic access list, you need to perform the following steps:

Step 1. Define a username and password.

Step 2. Define the username with the autocommand and timeout arguments; these must match a timeout value specified on the dynamic access list.

Step 3. Define a one-line dynamic access list allowing what traffic you want to pass after that user has authenticated. This line also should include the timeout value, which must match the one mentioned in the earlier bulleted item.

Step 4. Define an extended access list, in the same range as the dynamic access list, that will serve as the normal packet filter for the interface where you apply it to. This must allow Telnet access to the interface it is applied to because this is for Telnet authentication. Finally, apply this access list to an interface.

Step 5. Add the login local port to the vty line numbers ; these are displayed by the show line command.

Recalling the same network from the earlier example, you now learn how to clear all the access lists and enable any-to-any routing. In Figure 14-4, every router has the 128.200.0.0 subnet in its routing table, and there is full reachability.

In this example, you will define a dynamic access list on the router paine Ethernet 0 port. You will allow only users on the 172.16.1.0/24 subnet to authenticate, and then you will allow them access to the full 128.200.0.0 subnet. The access list will prevent any packets from unauthenticated users from entering into the interface. After someone has authenticated, you will allow all the devices on subnet 172.16.1.0/24 access for five minutes before closing the dynamic access list.

First, add a username and password needed for authentication:

  username franklin password ben   username franklin autocommand access-enable timeout 5  

The second line states that a special autocommand will be run when user franklin logs in. access-enable is a special command that will not be displayed by the question mark (context-sensitive help) ”yes, you will have to remember this one! The timeout value is an idle timeout ”in this case, it is set for five minutes. This means that the access list will close after no traffic has been detected for five minutes.

Next , define the dynamic access list:

  access-list 101 dynamic allowben timeout 5 permit ip 172.16.1.0 0.0.0.255 any   access-list 101 permit tcp 172.16.1.0 0.0.0.255 host 172.16.1.2 eq telnet  

The name for the access list must be unique and can be set to anything. What is important is the timeout value, which is an absolute timeout value. If you use both timers, either they must be equal or the idle timeout must be less than the absolute timeout value. The rest of the access list will allow IP traffic the subnet 172.16.1.0/24 access to any network, after authenticated.

The following list provides some Cisco rules and recommendations for configuring dynamic access list timers:

• Either define an idle timeout now with the timeout keyword in the access-enable command in the autocommand command, or define an absolute timeout value later with the access-list command. You must define either an idle timeout or an absolution timeout; otherwise , the temporary access list entry will remain configured indefinitely on the interface (even after the user has terminated the session) until the entry is removed manually by an administrator.

• If you configure an idle timeout, the idle timeout value should be equal to the dialer-idle timeout value.

• If you configure both idle and absolute timeouts, the idle timeout value must be less than or equal to the absolute timeout value.

The next line is your normal access list that will always be in place until someone has authenticated. This access list must begin with a permit of Telnet to the interface where the filter is applied. Without allowing Telnet, the user could never authenticate. In this case, you will allow only users on the same subnet of 172.16.1.0/24 to authenticate, while denying all other traffic. You can now apply the access list to the Ethernet 0 port of the paine router. This is done with the ip access- group 101 in command under the Ethernet 0 interface.

Finally, you must enable Telnet access under the vty ports, along with the appropriate enable passwords. See Chapter 1 if you need additional help with absolute line numbers. Example 14-9 lists the configuration of the paine router.

Example 14-9 paine Router Configuration

 hostname paine ! enable password 7 02050D480809 ! username franklin password 7 02040155 username franklin autocommand access-enable timeout 5 ! ! interface Ethernet0  no ip address  shutdown  media-type 10BaseT ! interface Ethernet1  ip address 172.16.1.2 255.255.255.0  ip access-group 101 in  media-type 10BaseT ! <<<text omitted>>> ! interface TokenRing1  ip address 128.200.1.2 255.255.255.0  ring-speed 16 ! router eigrp 2001  network 128.200.0.0  network 172.16.0.0  no auto-summary ! ip classless ! access-list 101 dynamic allowben timeout 5 permit ip 172.16.1.0 0.0.0.255 any access-list 101 permit tcp 172.16.1.0 0.0.0.255 host 172.16.1.2 eq telnet ! ! line con 0 line aux 0 line vty 0 4  login local ! end 

To test the configuration, either attach a workstation to the Ethernet segment of 172.16.1.0/24 or use the washington router. The router will always use the address closest to the destination for the source address of IP packets. If you want to source a Telnet session from a different port, use the following command:

  ip telnet source-interface   interface_name  

Example 14-10 first illustrates an unsuccessful ping from washington to jefferson. The user then authenticates with paine, followed by successful ping s to jefferson. After five minutes, the router paine will close the temporary hole and deny future access inbound to its Ethernet port. Notice how the Telnet session is immediately closed after authentication ”this is normal operation.

Example 14-10 Testing the Dynamic Access List

 washington# washington#  ping 128.200.1.5  Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 128.200.1.5, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) washington# washington# washington#  telnet 172.16.1.2  Trying 172.16.1.2 ... Open User Access Verification Username:  franklin  Password: [Connection to 172.16.1.2 closed by foreign host] washington# washington# washington#  ping 128.200.1.5  Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 128.200.1.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms washington# <<<After 5 minutes expires>>> washington#  ping 128.200.1.5  Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 128.200.1.5, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) washington#