CertificationZone Page 1 of 3 http://www.certificationzone.com/studyguides /?Issue=18&IssueDate=08-01-2000&CP= 11/06/01 Date of Issue: 08-01-2000 Dynamic Access List Lab Scenario by Katherine Tallis Introduction Required Equipment Lab Objectives Equipment Configuration Solution Testing the Dynamic Access List Introduction Dynamic, or "lock-and-key," access lists are one of the IOS features commonly used to tighten security on a router. They allow the network administrator to grant temporary access to a network or service when a user gives a valid ID and password. Dynamic access list statements have several advantages over static ACL entries: access can be granted for only a short time, and access can be based on the user, rather than on the IP address of the workstation. In this lab, we will be using a dynamic access list statement to allow one router to ping another. Though this is probably not the type of thing you would do on a production network, it does illustrate how dynamic ACLs work. Required Equipment You will need: l Two Cisco routers, each with an Ethernet port l One Ethernet hub l One workstation with Terminal Emulation Software and an available serial port (for a console connection to the routers) l Cables ¡ Two Ethernet cables (to connect the routers to the hub), or ¡ One crossover cable to connect the routers directly to one another and ¡ One console cable (to connect the workstation to each router's console port). Lab Objectives 1. Configure RouterA to deny access to any traffic except telnet traffic from RouterB across its Ethernet port. Include a dynamic statement in the access list to allow ICMP traffic from RouterB if an appropriate user ID and password are given. Set up the user ID and password in the router and configure the VTY line for local login. 2. Confirm that RouterB cannot ping RouterA's Ethernet interface. 3. Telnet from RouterB to RouterA giving the appropriate ID and password. This will invoke the dynamic statement to allow ICMP traffic. 4. Ping RouterA's Ethernet port to show that the dynamic statement was invoked and that ICMP traffic is allowed in. CertificationZone Page 2 of 3 http://www.certificationzone.com/studyguides /?Issue=18&IssueDate=08-01-2000&CP= 11/06/01 Equipment Configuration The equipment should be connected as shown below. Configure the Ethernet ports with the appropriate addresses and masks. You do not need to configure a routing protocol. The process of configuring a dynamic access list on RouterA will involve several steps: l Create a dynamic access list statement that allows telnet access to RouterB if the user authenticates correctly. l Set a user name and password that will be used to activate the list entry. l Enable local authentication on the VTY session (though a router can be configured to authenticate via an external TACACS+ for example server. l Set an idle timer on the VTY session so that it limits connection time. Solution 1. Create a user ID and password on RouterA that will be used to invoke the dynamic access list: username fred password b3drock 2. On RouterA create access list 100. The first statement will allow you to telnet into RouterA from RouterB. access-list 100 permit tcp host 10.200.1.1 any eq telnet 3. Now add the statement that will allow "Fred," assuming he authenticates, to ping RouterA's interface as well as telnet to it: access-list 100 dynamic fred timeout 30 permit icmp any any 4. Add a final access list statement that blocks all other traffic: access-list 100 deny ip any any 5. Apply the access list to the Ethernet port that connects the other router: interface Ethernet0 ip access-group 100 in 6. Finally, insure that the VTY port is set to authenticate Fred and set an idle timeout of 10 on the connection. CertificationZone Page 3 of 3 http://www.certificationzone.com/studyguides /?Issue=18&IssueDate=08-01-2000&CP= 11/06/01 line vty 0 login local autocommand access-enable host timeout 10 Testing the Dynamic Access List Connect to RouterB via its console port using a workstation with terminal emulation software. Try to ping the Ethernet interface on RouterA: ping 10.200.1.2 You should get no reply. Now telnet to the VTY port on RouterA. telnet 10.200.1.2 You should be prompted for an ID and password. Use the ones you created in the username command. Once your connection has been broken, try the ping command again: ping 10.200.1.2 It should work this time. If not, go back through the lab and confirm that you followed each step correctly. [IE-FIRE-LS1-F03] [2000-07-29-01] Copyright © 2000 Genium Publishing Corporation . /?Issue=18&IssueDate=0 8-0 1-2 000&CP= 11/06/01 Date of Issue: 0 8-0 1-2 000 Dynamic Access List Lab Scenario by Katherine Tallis Introduction Required Equipment Lab Objectives Equipment. telnet to it: access- list 100 dynamic fred timeout 30 permit icmp any any 4. Add a final access list statement that blocks all other traffic: access- list 100