10.3 Dynamic access lists: lock-and-key
10.3.1 Lock-and-key overview
Lock-and-key is a Cisco IOS feature that enables users to temporarily open a hole in a firewall without compromising other configured security restrictions. This feature is configured using a type of extended access list called a dynamic access list. In practice, lock-and-key users are typically power users or systems administrators because the user must Telnet to a Cisco router to create the hole in the firewall. However, some administrators may automate the procedure using a process such as scripts so that intermediate users can take advantage of this feature.

Dynamic access lists enable designated users to gain temporary access to protected resources from any IP address, or, from any specific addresses that you choose. When configured, lock-and-key modifies the existing IP access list of the interface so that it permits the IP addresses of designated users to reach specific destinations. After the user has disconnected, lock-and-key returns the access list back to its original state.

For lock-and-key to work, the user must first Telnet to the router. When telnetting, the user is provided an opportunity to tell the router who he or she is (by authenticating with a username and a password), and what IP address he or she is currently sending from. If the user successfully authenticates to the router, the user's IP address can be granted temporary access through the router. The dynamic access list configuration determines the extent of the access granted.