This is a sample configuration for conditional ACL is often called Lock & Key. By the authenticating, router will allow traffic for certain time.
Host IP = 10.10.12.1
Cisco-router = Fa0/0:10.10.12.2
Server IP = 10.10.23.3
Host IP = 10.10.12.1
Cisco-router = Fa0/0:10.10.12.2
Server IP = 10.10.23.3
1. Create Account
Cisco-router(config)# username ACCESS password cisconet
2. Create ACL
Cisco-router(config)# access-list 101 permit tcp any host 10.10.12.2 eq telnetCisco-router(config)# access-list 101 dynamic ACCESS timeout 2 permit ip any any
* Timeout in minute.
** dynamic ACL name ; ACCESS
Cisco-router(config)# username ACCESS password cisconet
2. Create ACL
Cisco-router(config)# access-list 101 permit tcp any host 10.10.12.2 eq telnetCisco-router(config)# access-list 101 dynamic ACCESS timeout 2 permit ip any any
* Timeout in minute.
** dynamic ACL name ; ACCESS
3. Apply ACL
Cisco-router(config)# interface fa0/0Cisco-router(config-if)# ip access-group 101 in
Cisco-router(config)# interface fa0/0Cisco-router(config-if)# ip access-group 101 in
4. Configure vty
Cisco-router(config)# line vty 0 4
Cisco-router(config-line)# login localCisco-router(config-line)# autocommand access-enable host timeout 1
* timeout in minute
Cisco-router(config)# line vty 0 4
Cisco-router(config-line)# login localCisco-router(config-line)# autocommand access-enable host timeout 1
* timeout in minute
5. Verifying
From host/10.10.12.1, telnet into 10.10.12.2 to get authentication. After authenticating, router will allow traffic for host 10.10.12.1
Cisco-router#sh ip access-lists 101
Extended IP access list 101
10 permit tcp any host 10.10.12.2 eq telnet (75 matches)
20 Dynamic telnet permit ip any any
permit ip host 10.10.12.1 any (49 matches) (time left 54)
From host/10.10.12.1, telnet into 10.10.12.2 to get authentication. After authenticating, router will allow traffic for host 10.10.12.1
Cisco-router#sh ip access-lists 101
Extended IP access list 101
10 permit tcp any host 10.10.12.2 eq telnet (75 matches)
20 Dynamic telnet permit ip any any
permit ip host 10.10.12.1 any (49 matches) (time left 54)
No comments:
Post a Comment