Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT and Lock&keyDynamics Access lists

Any know whether NAT & Dynamic Access lists (lock&key) can be used together?

I'm trying to allow authenticated inbound access via port 3389 accross a NAT'ed 12.2 1721.

I can get NAT to work & I can get lock&key to work, but not both together.

5 REPLIES

Re: NAT and Lock&keyDynamics Access lists

Yikes! Not really sure about the answer here but I am hoping to be able to talk you out of Lock and Key. Any chance you can use a feature we call Auth-Proxy instead? This was developed to replace Lock and Key. To be honest, we have done little or no development on Lock and Key in a long time and you will also have a hard time finding many TAC engineers that remember this feature ;)

Take a look at the following sample config for some info on Auth-Proxy and NAT combined:

http://www.cisco.com/warp/public/793/ios_fw/auth6.html

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iosfw2/iosfw2_1.htm

New Member

Re: NAT and Lock&keyDynamics Access lists

Well

The sample deployments of auth proxy I've looked at all seem to require a separate tacacs+ or radius server, and a lot of statements. All I'm looking for is a single authenticated (local) login that would allow external access with windows terminal services (3389) to a single server.

The lock & key dynamic access list concept allowed that to happen with 3 statements with a local username.

Re: NAT and Lock&keyDynamics Access lists

OK. You do not *need* a AAA server to do Auth-Proxy but I can't imagine this feature scaling very well without one. However, I guess I cannot argue with the ease of configuration. So, back to the orginal question. Can you elaborate a bit more on exactly what is not working with respect to Lock and Key and NAT? What are you NAT'ing? Perhaps a sanitized config will help a little...

Scott

New Member

Re: NAT and Lock&keyDynamics Access lists

Scott

I'm actually working off the 12.0 IOS security book & a TAC authored technote "Lock&Key:Dynamic Access lists" dated 3/12/03. The conf with both nat & L&K set is:

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname 1720R

!

logging queue-limit 100

enable secret 5 $1$e.UL$sfQWgNqbf8HLjmfdY/OMj.

!

username testuser password 0 123456

memory-size iomem 15

ip subnet-zero

no ip domain-lookup

!

ip audit notify log

ip audit po max-events 100

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet0

ip address 10.1.1.1 255.255.255.0

ip nat inside

speed auto

!

interface Serial0

no ip address

shutdown

no fair-queue

!

interface Serial1

bandwidth 2000

ip address 200.2.2.1 255.255.255.0

ip access-group 120 in

ip nat outside

clockrate 2000000

!

ip nat inside source list 10 interface Serial1 overload

ip nat inside source static tcp 10.1.1.10 3389 200.2.2.1 3389 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 200.2.2.2

no ip http server

!

access-list 10 permit 10.1.1.0 0.0.0.255

access-list 120 dynamic testlist timeout 10 permit ip any any

access-list 120 permit tcp any host 200.2.2.1 eq telnet

!

line con 0

exec-timeout 0 0

password red

logging synchronous

login

line aux 0

line vty 0 4

login local

autocommand access-enable timeout 5

!

end

After I telnet to the router and authenticate:

1720R#sh access-lists

Standard IP access list 10

permit 10.1.1.0, wildcard bits 0.0.0.255 (85 matches)

Extended IP access list 120

Dynamic testlist permit ip any any

permit ip any any (106 matches) (time left 23)

permit tcp any host 200.2.2.1 eq telnet (54 matches)

1720R#

At this point, I can't wts into the host, but the outbound access is OK. When the dynamic ACL times out, then outbound access disappears.

The problem is that the client is a remote non-profit with a single server, few users and little cash.

Thanks for noticing this.

JC

New Member

Re: NAT and Lock&keyDynamics Access lists

Ok

Problem solved. enabling CBAC on the inside interface made this work as expected. The unexpected issue is that you can no longer telnet into the firewall itself. Oh well...

191
Views
0
Helpful
5
Replies