- Bronze, 100 points or more
Hi every body.
my book says dynamic acl feature generates a dynamic acl statement and adds it to the beginning of acl. That means before dynamic statement can be addedd ,there must be acl already configured.
let say we have a small network where every host can access every appplication on every machine as long as every host try to connect from within the network. Let say we mak an exception for host1 , a laptop which can have the same as access to every application in the network even if it connects through internet. In that case do i need only one dynamic statement allowing access to h1.
will it work?
But we did not have any acl confgured already where acl statement generated dynamically could be added?
Dynamic ACL is used to open port for a host outside of your network once it is authenticated (local DB or TACACS+) with the local router.
Let's assume interface ethernet0 is your internet, with the following example:
ip address 172.18.23.9 255.255.255.0
ip access-group 101 in
access-list 101 permit tcp any host a.b.c.d eq http
access-list 101 dynamic mytestlist timeout 120 permit tcp any any eq telnet
line vty 0
autocommand access-enable timeout 5
the dynamic entry create under the statement access-list 101 dynamic to allow access to the internal network for TELNET only once it is authenticated. Also for any ACL, there is always a deny any any at the end.
If you were accessing the LAN resources from the internet you would be coming in on a different router interface than the interface you would use for access from the LAN.
On the Internet facing router interface you would or should have an acl already denying all traffic except that which you explicitly allow. So when the laptop user logs in from home an additional line will be entered in this acl above the deny at the end of the acl.
Note that the deny at the end of the acl may be implicit ie. it's not actually written in as an entry or explicit ie. you have "deny ip any any" at the end.