- Bronze, 100 points or more
hi every body.
Let say we have following scenario of an enterprise network:
h1 host1 22.214.171.124
h2 host2 126.96.36.199
wwwS web server
ftpS ftp server
h1 and h2 have been given access to www server,ftp server respectively by configuring Acl on router as follows:
acess-list 111 permit tcp host 188.8.131.52 host 10.10.10.10 eq www.
access-list 111 permit tcp host 184.108.40.206 host 10.10.10.9 eq ftp.
Let say host1 and host 2 were removed from the network, taken to employees homes. These two hosts are connected to internet where they are assigned different ip addresses say h1 220.127.116.11, h2, 18.104.22.168
If we still want to allow access these two hosts to web server and ftp server , we have to modify the access list to allow the newly acquired ip address by h1 and h2 or use dynamic acl
If we use dynamic acl on router, will router generate two acl statments as:
access -list 111 permit tcp host 22.214.171.124 host 10.10.10.10 eq www
access-list 111 permit tcp host 126.96.36.199 host 10.10.10.9 eq ftp
and place them at the begining of already Access-list 111?
( keeping the above scenario in mind )
In dynamic acl, we use user name and password. Say h1 is assigned :
user name host1
h2 is assigned :
Once the h1 and h2 are authenticated by router, then how router determine how to generate acess-list statements for each users 1.e how does router decides it has to permit h1 access to web server only and acess to ftp server to only h2 based only on configured usernames and passwords ?
Thanks a lot.
Assume a topology looking like this:
INTERNET ----- f0/0 ROUTER f0/1 ----- Internal Company Network
The internal network is 192.0.2.0/24 on the fa0/1 interface. You are logging into the router and you want to access the internal network from internet.
Let us have this ACL:
access-list 100 permit tcp any any eq telnet
access-list 100 dynamic DynList1 permit ip any 192.0.2.0 0.0.0.255
and let us apply it on the fa0/0 interface in the inbound direction. Now imagine that a user telnets into the router from the IP 188.8.131.52 and issues the access-enable host command. In the dynamic ACL a new entry will be created in the form:
access-list 100 permit ip host 184.108.40.206 192.0.2.0 0.0.0.255
In other words, on the inbound ACL, the source "any" was replaced by the client's IP address.
Similarily, let us have another ACL defined:
access-list 101 permit tcp any any eq telnet
access-list 101 dynamic DynList2 permit ip 192.0.2.0 0.0.0.255 any
and let us have this ACL applied on the fa0/0 interface in the outbound direction. Now, after a user logs in as before and issues the access-enable host command, a new entry will be created in the ACL:
access-list 101 dynamic DynList2 permit ip 192.0.2.0 0.0.0.255 host 220.127.116.11
So now, for a dynamic ACL in the outbound direction, the destination "any" was replaced by the client's IP address.
Does this make it a bit more clear?
This is a problem. The dynamic ACLs by themselves are not directly tied to usernames/passwords. Any user that has logged in correctly is allowed to execute the access-enable host command to generate an ACL entry for his IP address. However, there is no option of choosing which ACL or which entry should be instantiated in the ACL for the particular client's IP address. The logic here is strict and simple: after issuing that command, take note of the client's IP address and replace the "any" wildcard in the proper portion (source or destination, depends on the direction of the ACL) of the dynamic ACL with the client's IP address, leaving all other fields intact.
Personally, I am not aware if there is any other automatized option for this. There is a user EXEC command "access-template" that allows you to enter entries in a dynamic ACL with more specific fields, however, this requires you to know the precise IP addresses in forward. Besides that, I don't know about any other solution (which of course does not mean it does not exist).
Ahh that makes more sense. Never used them to be honest and i was thinking perhaps Sarah was referring to something like downloadable acls but you are spot on.
Thanks for the link, i 'll have a quick read, altho as you say there are far more secure methods these days :-)
The dynamic ACLs, also known as Lock-and-Key ACL, are ACLs that are created on behalf of a user when he authenticates with his proper username and password. These ACLs can be used to allow access from the client to the company's internal network by dynamically adding the client's IP address into the access list after he authenticated correctly.
Personally, I treat them as a contraption before VPNs became ubiquitous but they might be helpful in some cases.
If you are interested in reading more in detail, visit this URL:
Not sure what you are referring to by dynamic acl ? There are acl's that dynamically open up ports but this is not what you seem to be talking about.
Could you provide a pointer to docs ?