| 10.3 | Dynamic access lists: lock-and-key | ||
| 10.3.3 | Configuring lock-and-key |
|
To configure lock-and-key, you start by defining a
dynamic access list, using the syntax shown in the figure.
To configure lock-and-key on RTA (192.168.1.1), you would configure the dynamic access list, as shown: RTA(config)#access-list 101 permit tcp any
host 192.168.1.1 eq telnet The first access list statement in the example permits Telnet traffic to RTA's interface at 192.168.1.1. Lock-and-key will not work if a firewall blocks the user from Telnetting to the router. You must be able to reach the router via Telnet, so Configuring an explicit TELNET permit is a good idea. The second statement includes the dynamic keyword and creates a dynamic list called UNLOCK. Notice that the dynamic statement is part of the same extended access list, 101. Remember that you can have only one access list per protocol, per interface, per direction. Assume, for this example, that additional statements are configured as part of access list 101. The timeout 120 option specifies the absolute timeout, which is a maximum time limit (in minutes) for each entry within this dynamic list. In this case, the user would be disconnected 120 minutes after first connecting. If you do not specify a timeout, the IOS allows the entry (the hole in the firewall) to remain forever, or until the idle timer expires (if configured). Finally, the ip access-group 101 in command applies this list to inbound traffic on the serial interface. With the dynamic access list configured and applied, you must configure the router to use authentication to complete the lock-and-key configuration. Authenticating lock-and-key users is described in the next section.
|