dynamic acl on router

Answered Question
Aug 5th, 2009
User Badges:
  • Bronze, 100 points or more

hi every body.


Let say we have following scenario of an enterprise network:


h1 host1 1.1.1.1

h2 host2 2.2.2.2

R router

wwwS web server

ftpS ftp server



h1,h2- (ipnet)s0-R-s1(ipnet)-wwwS,ftpS



h1 and h2 have been given access to www server,ftp server respectively by configuring Acl on router as follows:



acess-list 111 permit tcp host 1.1.1.1 host 10.10.10.10 eq www.

access-list 111 permit tcp host 2.2.2.2 host 10.10.10.9 eq ftp.


Let say host1 and host 2 were removed from the network, taken to employees homes. These two hosts are connected to internet where they are assigned different ip addresses say h1 11.11.11.11, h2, 12.12.12.12

If we still want to allow access these two hosts to web server and ftp server , we have to modify the access list to allow the newly acquired ip address by h1 and h2 or use dynamic acl

If we use dynamic acl on router, will router generate two acl statments as:

access -list 111 permit tcp host 11.11.11.11 host 10.10.10.10 eq www


access-list 111 permit tcp host 12.12.12.12 host 10.10.10.9 eq ftp

and place them at the begining of already Access-list 111?


( keeping the above scenario in mind )


In dynamic acl, we use user name and password. Say h1 is assigned :

user name host1

password 123


h2 is assigned :

username host2

password 456


Once the h1 and h2 are authenticated by router, then how router determine how to generate acess-list statements for each users 1.e how does router decides it has to permit h1 access to web server only and acess to ftp server to only h2 based only on configured usernames and passwords ?


Thanks a lot.


Correct Answer by Peter Paluch about 7 years 10 months ago

Hello,


Assume a topology looking like this:


INTERNET ----- f0/0 ROUTER f0/1 ----- Internal Company Network


The internal network is 192.0.2.0/24 on the fa0/1 interface. You are logging into the router and you want to access the internal network from internet.


Let us have this ACL:

access-list 100 permit tcp any any eq telnet

access-list 100 dynamic DynList1 permit ip any 192.0.2.0 0.0.0.255


and let us apply it on the fa0/0 interface in the inbound direction. Now imagine that a user telnets into the router from the IP 223.255.255.1 and issues the access-enable host command. In the dynamic ACL a new entry will be created in the form:


access-list 100 permit ip host 223.255.255.1 192.0.2.0 0.0.0.255


In other words, on the inbound ACL, the source "any" was replaced by the client's IP address.


Similarily, let us have another ACL defined:


access-list 101 permit tcp any any eq telnet

access-list 101 dynamic DynList2 permit ip 192.0.2.0 0.0.0.255 any


and let us have this ACL applied on the fa0/0 interface in the outbound direction. Now, after a user logs in as before and issues the access-enable host command, a new entry will be created in the ACL:


access-list 101 dynamic DynList2 permit ip 192.0.2.0 0.0.0.255 host 223.255.255.1


So now, for a dynamic ACL in the outbound direction, the destination "any" was replaced by the client's IP address.


Does this make it a bit more clear?


Best regards,

Peter


Correct Answer by Peter Paluch about 7 years 10 months ago

Hello,


This is a problem. The dynamic ACLs by themselves are not directly tied to usernames/passwords. Any user that has logged in correctly is allowed to execute the access-enable host command to generate an ACL entry for his IP address. However, there is no option of choosing which ACL or which entry should be instantiated in the ACL for the particular client's IP address. The logic here is strict and simple: after issuing that command, take note of the client's IP address and replace the "any" wildcard in the proper portion (source or destination, depends on the direction of the ACL) of the dynamic ACL with the client's IP address, leaving all other fields intact.


Personally, I am not aware if there is any other automatized option for this. There is a user EXEC command "access-template" that allows you to enter entries in a dynamic ACL with more specific fields, however, this requires you to know the precise IP addresses in forward. Besides that, I don't know about any other solution (which of course does not mean it does not exist).


Best regards,

Peter


Correct Answer by Jon Marshall about 7 years 10 months ago

Peter


Ahh that makes more sense. Never used them to be honest and i was thinking perhaps Sarah was referring to something like downloadable acls but you are spot on.


Thanks for the link, i 'll have a quick read, altho as you say there are far more secure methods these days :-)


Jon

Correct Answer by Peter Paluch about 7 years 10 months ago

Jon,


The dynamic ACLs, also known as Lock-and-Key ACL, are ACLs that are created on behalf of a user when he authenticates with his proper username and password. These ACLs can be used to allow access from the client to the company's internal network by dynamically adding the client's IP address into the access list after he authenticated correctly.


Personally, I treat them as a contraption before VPNs became ubiquitous but they might be helpful in some cases.


If you are interested in reading more in detail, visit this URL:


http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_lock_key_secrty_ps6350_TSD_Products_Configuration_Guide_Chapter.html


Best regards,

Peter


Correct Answer by Jon Marshall about 7 years 10 months ago

Sarah


Not sure what you are referring to by dynamic acl ? There are acl's that dynamically open up ports but this is not what you seem to be talking about.


Could you provide a pointer to docs ?


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 08/05/2009 - 09:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sarah


Not sure what you are referring to by dynamic acl ? There are acl's that dynamically open up ports but this is not what you seem to be talking about.


Could you provide a pointer to docs ?


Jon

sarahr202 Wed, 08/05/2009 - 13:08
User Badges:
  • Bronze, 100 points or more

Thanks Jon.


I was reading about IP Acl . Book also mentioned dynamic Acl . In dynamic Acl, acl statements are dynamically created and added to existing ACl. The book mentions an example which could benfits from dynmic acl.


I explain the book example briefly.


Let say Laptop1 is connected to enterprise network. That Laptop1 is given an access to access web server located inside the enterprise network.


laptop1--( enterprise net)--s0R- webS


Where laptop1 has 1.1.1.1

R router

webS web server has 2.2.2.2

According to my book, to only allow laptop1 access to web server, an access list is configured on router as:


acess-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq www.



int s0

ip access- group 1 in


==========================


User of laptop1 unplugged the laptop1 from the enterprise network, goes home and connects it to to internet and was assigned 3.3.3.3/9 by his isp.

To alllow for laptop1 to still access the webserver, we have two options:


1) replace the access-list statement"

access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq www"

by" access-list 101 permit tcp host 3.3.3.3 host 2.2.2.2 eq www"


2)use dynamic acl on router.

In dynamic Acl, laptop1 is assigned a username and password which are configured on router i.e R .

The laptop1 is then asked to first telnet to router and supplies username and password, once successfully authenticated , router then dynamically generates the access-list statment,allowing laptop1 to access the web server.This dynamically generated access-list statment is then added to the begining of access-list which is in our case is access-list 101.


In short , the access-list configured on router earlier to allow laptop1 access web server will look something like this:


acess-list 101 permit tcp host 3.3.3.3 host 2.2.2.2 eq www

access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq www


The router removes the dynamic entry in the ACl after a period of inactivity.


=================================


My question is how does router determine what access-list to generate so that laptop1 could access web server by just username and password configured on the router? My hunch is when we configure the username and password on router , we must tell the router if user is authenticated, it could have this access which is in our case is web access.


thanks a lot.



Correct Answer
Peter Paluch Wed, 08/05/2009 - 13:45
User Badges:
  • Cisco Employee,

Jon,


The dynamic ACLs, also known as Lock-and-Key ACL, are ACLs that are created on behalf of a user when he authenticates with his proper username and password. These ACLs can be used to allow access from the client to the company's internal network by dynamically adding the client's IP address into the access list after he authenticated correctly.


Personally, I treat them as a contraption before VPNs became ubiquitous but they might be helpful in some cases.


If you are interested in reading more in detail, visit this URL:


http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_lock_key_secrty_ps6350_TSD_Products_Configuration_Guide_Chapter.html


Best regards,

Peter


Correct Answer
Jon Marshall Wed, 08/05/2009 - 13:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Peter


Ahh that makes more sense. Never used them to be honest and i was thinking perhaps Sarah was referring to something like downloadable acls but you are spot on.


Thanks for the link, i 'll have a quick read, altho as you say there are far more secure methods these days :-)


Jon

Correct Answer
Peter Paluch Wed, 08/05/2009 - 14:08
User Badges:
  • Cisco Employee,

Hello,


This is a problem. The dynamic ACLs by themselves are not directly tied to usernames/passwords. Any user that has logged in correctly is allowed to execute the access-enable host command to generate an ACL entry for his IP address. However, there is no option of choosing which ACL or which entry should be instantiated in the ACL for the particular client's IP address. The logic here is strict and simple: after issuing that command, take note of the client's IP address and replace the "any" wildcard in the proper portion (source or destination, depends on the direction of the ACL) of the dynamic ACL with the client's IP address, leaving all other fields intact.


Personally, I am not aware if there is any other automatized option for this. There is a user EXEC command "access-template" that allows you to enter entries in a dynamic ACL with more specific fields, however, this requires you to know the precise IP addresses in forward. Besides that, I don't know about any other solution (which of course does not mean it does not exist).


Best regards,

Peter


sarahr202 Thu, 08/06/2009 - 13:58
User Badges:
  • Bronze, 100 points or more

Thanks a lot Peter.

"The logic here is strict and simple: after issuing that command, take note of the client's IP address and replace the "any" wildcard in the proper portion (source or destination, depends on the direction of the ACL) of the dynamic ACL with the client's IP address, leaving all other fields intact."


Can you please elaborate on the above excerpt by an illustration?


thanks a lot.

Correct Answer
Peter Paluch Thu, 08/06/2009 - 14:14
User Badges:
  • Cisco Employee,

Hello,


Assume a topology looking like this:


INTERNET ----- f0/0 ROUTER f0/1 ----- Internal Company Network


The internal network is 192.0.2.0/24 on the fa0/1 interface. You are logging into the router and you want to access the internal network from internet.


Let us have this ACL:

access-list 100 permit tcp any any eq telnet

access-list 100 dynamic DynList1 permit ip any 192.0.2.0 0.0.0.255


and let us apply it on the fa0/0 interface in the inbound direction. Now imagine that a user telnets into the router from the IP 223.255.255.1 and issues the access-enable host command. In the dynamic ACL a new entry will be created in the form:


access-list 100 permit ip host 223.255.255.1 192.0.2.0 0.0.0.255


In other words, on the inbound ACL, the source "any" was replaced by the client's IP address.


Similarily, let us have another ACL defined:


access-list 101 permit tcp any any eq telnet

access-list 101 dynamic DynList2 permit ip 192.0.2.0 0.0.0.255 any


and let us have this ACL applied on the fa0/0 interface in the outbound direction. Now, after a user logs in as before and issues the access-enable host command, a new entry will be created in the ACL:


access-list 101 dynamic DynList2 permit ip 192.0.2.0 0.0.0.255 host 223.255.255.1


So now, for a dynamic ACL in the outbound direction, the destination "any" was replaced by the client's IP address.


Does this make it a bit more clear?


Best regards,

Peter


sarahr202 Fri, 08/07/2009 - 08:28
User Badges:
  • Bronze, 100 points or more

Thanks Peter for your time and patience.


One thing i noticed that dynamic acl only changes " any" entry by host ip address.


In your case , host is allowed to access any machine inside the internal network from the internet. How about if we don't want the host to have the all access to every machine in the network. Let say we want host to be able to telnet into server(1.1.1.1)located inside the internal network.

Can i modify the dynamic acl as:

access-list 101 dynamic zeelist2 permit tcp any host 1.1.1.1 eq telnet. ? Am i correct ?



=================================


(excerpt from your post)


"access-list 100 permit tcp any any eq telnet

access-list 100 dynamic DynList1 permit ip any 192.0.2.0 0.0.0.255 "


The first statement allow telnet access to any machine from any host. How about if we want only certain host be able to access server(1.1.1.1) inside the company network from internet. In that case don't we need only one statement such as:

acess-list 101 dynamic zeelist1 permit tcp any host 1.1.1.1 eq 23 ? Am i correct ?


Thanks a lot and have a nice weekend.


Peter Paluch Tue, 08/11/2009 - 00:47
User Badges:
  • Cisco Employee,

Hello,


I am sorry for replying lately.


Yes, you are right - depending on the direction of the dynamic ACL, only the "any" in the source or the destination part of the ACL gets replaced with the host's IP address.


Of course, you can make the dynamic ACL entry far more specific than I have suggested here - I wanted to make it as simple as possible. Assuming that you wanted to access only, say, the HTTPS servers within your network, the ACL for the inbound direction would look as follows:


access-list 100 permit tcp any any eq telnet

access-list 100 dynamic DynList1 permit tcp any 192.0.2.0 0.0.0.255 eq 443


Note that I have maintained the first line concerning the Telnet. That one is there to allow hosts to actually telnet into your router. Of course, if you don't want to let them telnet into your entire internal network then the first entry should be far more specific. Assuming that the router's IP address is, say, 223.255.255.1 and this is the only IP onto which the hosts connect via telnet to authenticate themselves, the ACL could be constructed as follows:


access-list 100 permit tcp any host 223.255.255.1 eq telnet

access-list 100 dynamic DynList1 permit tcp any 192.0.2.0 0.0.0.255 eq 443


Best regards,

Peter


Actions

This Discussion