Lock-and-key is a Cisco IOS feature that enables
users to temporarily open a hole in a firewall without compromising other
configured security restrictions. This feature is configured using a type of
extended access list called a dynamic access list. In practice, lock-and-key
users are typically power users or systems administrators because the user must
Telnet to a Cisco router to create the hole in the firewall. However, some
administrators may automate the procedure using a process such as scripts so
that intermediate users can take advantage of this feature.
Dynamic access lists enable designated users to gain temporary access to
protected resources from any IP address, or, from any specific addresses that
you choose. When configured, lock-and-key modifies the existing IP access list
of the interface so that it permits the IP addresses of designated users to
reach specific destinations. After the user has disconnected, lock-and-key
returns the access list back to its original state.
For lock-and-key to work, the user must first Telnet to the router. When
telnetting, the user is provided an opportunity to tell the router who he or
she is (by authenticating with a username and a password), and what IP address
he or she is currently sending from. If the user successfully authenticates to the
router, the user's IP address can be granted temporary access through the
router. The dynamic access list configuration determines the extent of the
access granted.