08-07-2009 11:00 AM - edited 03-06-2019 07:09 AM
Hi every body.
my book says dynamic acl feature generates a dynamic acl statement and adds it to the beginning of acl. That means before dynamic statement can be addedd ,there must be acl already configured.
let say we have a small network where every host can access every appplication on every machine as long as every host try to connect from within the network. Let say we mak an exception for host1 , a laptop which can have the same as access to every application in the network even if it connects through internet. In that case do i need only one dynamic statement allowing access to h1.
will it work?
But we did not have any acl confgured already where acl statement generated dynamically could be added?
thanks
Solved! Go to Solution.
08-07-2009 11:06 AM
Sarah
If you were accessing the LAN resources from the internet you would be coming in on a different router interface than the interface you would use for access from the LAN.
On the Internet facing router interface you would or should have an acl already denying all traffic except that which you explicitly allow. So when the laptop user logs in from home an additional line will be entered in this acl above the deny at the end of the acl.
Note that the deny at the end of the acl may be implicit ie. it's not actually written in as an entry or explicit ie. you have "deny ip any any" at the end.
Jon
08-07-2009 11:11 AM
Hi Sarah,
Dynamic ACL is used to open port for a host outside of your network once it is authenticated (local DB or TACACS+) with the local router.
Let's assume interface ethernet0 is your internet, with the following example:
interface ethernet0
ip address 172.18.23.9 255.255.255.0
ip access-group 101 in
access-list 101 permit tcp any host a.b.c.d eq http
access-list 101 dynamic mytestlist timeout 120 permit tcp any any eq telnet
line vty 0
login local
autocommand access-enable timeout 5
the dynamic entry create under the statement access-list 101 dynamic to allow access to the internal network for TELNET only once it is authenticated. Also for any ACL, there is always a deny any any at the end.
HTH,
jerry
08-07-2009 11:06 AM
Sarah
If you were accessing the LAN resources from the internet you would be coming in on a different router interface than the interface you would use for access from the LAN.
On the Internet facing router interface you would or should have an acl already denying all traffic except that which you explicitly allow. So when the laptop user logs in from home an additional line will be entered in this acl above the deny at the end of the acl.
Note that the deny at the end of the acl may be implicit ie. it's not actually written in as an entry or explicit ie. you have "deny ip any any" at the end.
Jon
08-07-2009 11:11 AM
Hi Sarah,
Dynamic ACL is used to open port for a host outside of your network once it is authenticated (local DB or TACACS+) with the local router.
Let's assume interface ethernet0 is your internet, with the following example:
interface ethernet0
ip address 172.18.23.9 255.255.255.0
ip access-group 101 in
access-list 101 permit tcp any host a.b.c.d eq http
access-list 101 dynamic mytestlist timeout 120 permit tcp any any eq telnet
line vty 0
login local
autocommand access-enable timeout 5
the dynamic entry create under the statement access-list 101 dynamic to allow access to the internal network for TELNET only once it is authenticated. Also for any ACL, there is always a deny any any at the end.
HTH,
jerry
08-07-2009 12:42 PM
Thanks Jerry and John.
How about if there is no access list configured on the router before and we just configure
access-list 101 dynamic mytestlist permit tcp any any eq telnet,
autocommand access-enable timeout 5
i u nderstand the above config will generate dynamic acl statement which would then be added to existing acl but we don't have any existing acl ,just one statement:
access-list 101 dynamic mytestlist permit tcp any any eq telnet
line vty 0
login
autocommand access-enable timeout 5 permit tcp any any eq telnet
thanks
08-07-2009 12:55 PM
Hi Sarah,
You need one more line of ACL, and I've missed it completely from the example. Sorry for the confusion. Since you are allowing Internet to TELNET to your router for authentication, and the ACL is applied to the Internet facing interface as inbound. You need the permit telnet to the router first, then dynamic ACL. If you have any routing protocol, you need to include that also.
The ACL example should really looks like this:
access-list 101 permit tcp any host router_internet_IP eq telnet
access-list 101 dynamic mytestlist permit tcp any any eq telnet
Assuming you are not running any routing protocol.
HTH,
jerry
08-07-2009 01:33 PM
Thanks Jerry.
Assume we did not restrict the telnet connections to router by any access list,so there is no access list. Any user with correct password for telnet is thus able to telnet into router.
Having successfully telnetted, user will pe prompted for username and password,. Once user is successfully authecticated, router will generate a dynamic accesslist statement assuming router is configured with.
access-list 101 dynamic mytestlist permit tcp any any eq telnet
Since there is no access list configured, where will this newly
generated statement be added to ?
My hunch is since I configured the command "access-list 101 dynamic mytestlist permit tcp any any eq telnet"
, it means access-list 101 exists with implicit deny statement, so router adds the newly generated dynamic statement to access-list 101 at the beginning. am i correct ?
thanks a lot.
08-09-2009 02:37 PM
Hi Sarah,
Assuming you are able to telnet into the router, successfully authenticated and activated the dynamic ACL. The newly dynamic statement will be right under the statement like this
R1#show ip access-list 101
Extended IP access list 101
10 Dynamic mytestlist permit tcp any any eq telnet
permit tcp host 10.10.10.10 any eq telnet
Realistically, like I said before, you have to allow telnet into the router also.
HTH,
jerry
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: