Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT and Lock&keyDynamics Access lists

Any know whether NAT & Dynamic Access lists (lock&key) can be used together?

I'm trying to allow authenticated inbound access via port 3389 accross a NAT'ed 12.2 1721.

I can get NAT to work & I can get lock&key to work, but not both together.


Re: NAT and Lock&keyDynamics Access lists

Yikes! Not really sure about the answer here but I am hoping to be able to talk you out of Lock and Key. Any chance you can use a feature we call Auth-Proxy instead? This was developed to replace Lock and Key. To be honest, we have done little or no development on Lock and Key in a long time and you will also have a hard time finding many TAC engineers that remember this feature ;)

Take a look at the following sample config for some info on Auth-Proxy and NAT combined:

New Member

Re: NAT and Lock&keyDynamics Access lists


The sample deployments of auth proxy I've looked at all seem to require a separate tacacs+ or radius server, and a lot of statements. All I'm looking for is a single authenticated (local) login that would allow external access with windows terminal services (3389) to a single server.

The lock & key dynamic access list concept allowed that to happen with 3 statements with a local username.

Re: NAT and Lock&keyDynamics Access lists

OK. You do not *need* a AAA server to do Auth-Proxy but I can't imagine this feature scaling very well without one. However, I guess I cannot argue with the ease of configuration. So, back to the orginal question. Can you elaborate a bit more on exactly what is not working with respect to Lock and Key and NAT? What are you NAT'ing? Perhaps a sanitized config will help a little...


New Member

Re: NAT and Lock&keyDynamics Access lists


I'm actually working off the 12.0 IOS security book & a TAC authored technote "Lock&Key:Dynamic Access lists" dated 3/12/03. The conf with both nat & L&K set is:

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption


hostname 1720R


logging queue-limit 100

enable secret 5 $1$e.UL$sfQWgNqbf8HLjmfdY/OMj.


username testuser password 0 123456

memory-size iomem 15

ip subnet-zero

no ip domain-lookup


ip audit notify log

ip audit po max-events 100


interface BRI0

no ip address

encapsulation hdlc



interface FastEthernet0

ip address

ip nat inside

speed auto


interface Serial0

no ip address


no fair-queue


interface Serial1

bandwidth 2000

ip address

ip access-group 120 in

ip nat outside

clockrate 2000000


ip nat inside source list 10 interface Serial1 overload

ip nat inside source static tcp 3389 3389 extendable

ip classless

ip route

no ip http server


access-list 10 permit

access-list 120 dynamic testlist timeout 10 permit ip any any

access-list 120 permit tcp any host eq telnet


line con 0

exec-timeout 0 0

password red

logging synchronous


line aux 0

line vty 0 4

login local

autocommand access-enable timeout 5



After I telnet to the router and authenticate:

1720R#sh access-lists

Standard IP access list 10

permit, wildcard bits (85 matches)

Extended IP access list 120

Dynamic testlist permit ip any any

permit ip any any (106 matches) (time left 23)

permit tcp any host eq telnet (54 matches)


At this point, I can't wts into the host, but the outbound access is OK. When the dynamic ACL times out, then outbound access disappears.

The problem is that the client is a remote non-profit with a single server, few users and little cash.

Thanks for noticing this.


New Member

Re: NAT and Lock&keyDynamics Access lists


Problem solved. enabling CBAC on the inside interface made this work as expected. The unexpected issue is that you can no longer telnet into the firewall itself. Oh well...