Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

dynamic acl and existance of standard, extended acl

Hi every body.

my book says dynamic acl feature generates a dynamic acl statement and adds it to the beginning of acl. That means before dynamic statement can be addedd ,there must be acl already configured.

let say we have a small network where every host can access every appplication on every machine as long as every host try to connect from within the network. Let say we mak an exception for host1 , a laptop which can have the same as access to every application in the network even if it connects through internet. In that case do i need only one dynamic statement allowing access to h1.

will it work?

But we did not have any acl confgured already where acl statement generated dynamically could be added?

thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: dynamic acl and existance of standard, extended acl

Sarah

If you were accessing the LAN resources from the internet you would be coming in on a different router interface than the interface you would use for access from the LAN.

On the Internet facing router interface you would or should have an acl already denying all traffic except that which you explicitly allow. So when the laptop user logs in from home an additional line will be entered in this acl above the deny at the end of the acl.

Note that the deny at the end of the acl may be implicit ie. it's not actually written in as an entry or explicit ie. you have "deny ip any any" at the end.

Jon

Cisco Employee

Re: dynamic acl and existance of standard, extended acl

Hi Sarah,

Dynamic ACL is used to open port for a host outside of your network once it is authenticated (local DB or TACACS+) with the local router.

Let's assume interface ethernet0 is your internet, with the following example:

interface ethernet0

ip address 172.18.23.9 255.255.255.0

ip access-group 101 in

access-list 101 permit tcp any host a.b.c.d eq http

access-list 101 dynamic mytestlist timeout 120 permit tcp any any eq telnet

line vty 0

login local

autocommand access-enable timeout 5

the dynamic entry create under the statement access-list 101 dynamic to allow access to the internal network for TELNET only once it is authenticated. Also for any ACL, there is always a deny any any at the end.

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_lock_key_secrty_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1001177

HTH,

jerry

6 REPLIES
Hall of Fame Super Blue

Re: dynamic acl and existance of standard, extended acl

Sarah

If you were accessing the LAN resources from the internet you would be coming in on a different router interface than the interface you would use for access from the LAN.

On the Internet facing router interface you would or should have an acl already denying all traffic except that which you explicitly allow. So when the laptop user logs in from home an additional line will be entered in this acl above the deny at the end of the acl.

Note that the deny at the end of the acl may be implicit ie. it's not actually written in as an entry or explicit ie. you have "deny ip any any" at the end.

Jon

Cisco Employee

Re: dynamic acl and existance of standard, extended acl

Hi Sarah,

Dynamic ACL is used to open port for a host outside of your network once it is authenticated (local DB or TACACS+) with the local router.

Let's assume interface ethernet0 is your internet, with the following example:

interface ethernet0

ip address 172.18.23.9 255.255.255.0

ip access-group 101 in

access-list 101 permit tcp any host a.b.c.d eq http

access-list 101 dynamic mytestlist timeout 120 permit tcp any any eq telnet

line vty 0

login local

autocommand access-enable timeout 5

the dynamic entry create under the statement access-list 101 dynamic to allow access to the internal network for TELNET only once it is authenticated. Also for any ACL, there is always a deny any any at the end.

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_lock_key_secrty_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1001177

HTH,

jerry

Bronze

Re: dynamic acl and existance of standard, extended acl

Thanks Jerry and John.

How about if there is no access list configured on the router before and we just configure

access-list 101 dynamic mytestlist permit tcp any any eq telnet,

autocommand access-enable timeout 5

i u nderstand the above config will generate dynamic acl statement which would then be added to existing acl but we don't have any existing acl ,just one statement:

access-list 101 dynamic mytestlist permit tcp any any eq telnet

line vty 0

login

autocommand access-enable timeout 5 permit tcp any any eq telnet

thanks

Cisco Employee

Re: dynamic acl and existance of standard, extended acl

Hi Sarah,

You need one more line of ACL, and I've missed it completely from the example. Sorry for the confusion. Since you are allowing Internet to TELNET to your router for authentication, and the ACL is applied to the Internet facing interface as inbound. You need the permit telnet to the router first, then dynamic ACL. If you have any routing protocol, you need to include that also.

The ACL example should really looks like this:

access-list 101 permit tcp any host router_internet_IP eq telnet

access-list 101 dynamic mytestlist permit tcp any any eq telnet

Assuming you are not running any routing protocol.

HTH,

jerry

Bronze

Re: dynamic acl and existance of standard, extended acl

Thanks Jerry.

Assume we did not restrict the telnet connections to router by any access list,so there is no access list. Any user with correct password for telnet is thus able to telnet into router.

Having successfully telnetted, user will pe prompted for username and password,. Once user is successfully authecticated, router will generate a dynamic accesslist statement assuming router is configured with.

access-list 101 dynamic mytestlist permit tcp any any eq telnet

Since there is no access list configured, where will this newly

generated statement be added to ?

My hunch is since I configured the command "access-list 101 dynamic mytestlist permit tcp any any eq telnet"

, it means access-list 101 exists with implicit deny statement, so router adds the newly generated dynamic statement to access-list 101 at the beginning. am i correct ?

thanks a lot.

Cisco Employee

Re: dynamic acl and existance of standard, extended acl

Hi Sarah,

Assuming you are able to telnet into the router, successfully authenticated and activated the dynamic ACL. The newly dynamic statement will be right under the statement like this

R1#show ip access-list 101

Extended IP access list 101

10 Dynamic mytestlist permit tcp any any eq telnet

permit tcp host 10.10.10.10 any eq telnet

Realistically, like I said before, you have to allow telnet into the router also.

HTH,

jerry

158
Views
0
Helpful
6
Replies