10.3 Dynamic access lists: lock-and-key
10.3.2 Lock-and-key operation
When is it appropriate to use lock-and-key? Two general scenarios warrant a dynamic access list configuration:
  • You want to permit a user, or group of users, to securely access a host within your protected network via the Internet. Lock-and-key authenticates the user and then permits limited access through your firewall router, but only for that individual's host or subnet, and only for a finite period of time.
  • You want certain users on a remote network to access a host on the corporate network protected by a firewall (as shown in the figure). Lock-and-key requires users to authenticate before allowing their hosts to access the protected hosts.

The following steps summarize lock-and-key operation:

  1. A user opens a Telnet session to a firewall router configured for lock-and-key. The user connects via one of the VTYs on the router.
  2. The Cisco IOS receives the Telnet packet, opens a Telnet session, prompts the user for a username and password, and performs the authentication process. The authentication can be done by the router or by a security server (such as a TACACS+ or RADIUS box). When a user passes authentication, he or she is logged out of the Telnet session, and the software creates a temporary entry in the dynamic access list. Depending on the configuration, this temporary entry can limit the range of networks to which the user is given temporary access.
  3. The user exchanges data through the "hole" in the firewall.
  4. The IOS deletes the temporary access list entry when a configured timeout is reached, or when the system administrator manually clears it. The configured timeout can be either an idle timeout or an absolute timeout. The temporary access-list entry is not automatically deleted when the user terminates a session. It remains until the timeout is reached or until it is cleared by the system administrator.

Cisco IOS releases prior to Release 11.1 are not compatible with dynamic access lists (lock-and-key). Therefore, if you use a configuration file that includes a dynamic access list with IOS software older than Release 11.1, the resulting access list will not be interpreted correctly. This could cause you severe security problems.