host | Tells the software to enable access only for the host from which the Telnet session originated. If not specified, the software allows all hosts on the defined network to gain access. The dynamic access list contains the network mask to use for enabling the new network. |
timeout | Specifies an idle timeout for the temporary access list entry. If the access list entry is not accessed within this period, it is automatically deleted and requires the user to authenticate again. The default is for the entries to remain permanently. |
Example Configuration
To be able to telnet to R3, user needs to login to R2 first with the username of CISCO and Password CISCO. If they successfully authenticates, the access-list in R2 will temporarily allow telnet access to R3.
R1 --- R2 ----R3
R2 configuration
username TELNET password 0 CISCO
username TELNET autocommand access-enable timeout 5
ip access-list extended DYN_TELNET
dynamic DYN_TELNET_ACCESS permit tcp any any eq telnet
deny tcp any host 10.1.1.2
permit ip any any
!
line vty 0 4
login
autocommand access-enable
Apply access-list to the interface facing R1
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
ip access-group DYN_TELNET in
duplex auto
speed auto
Verify Configuration
// We did not have access to R3
R1#telnet 10.1.1.2
Trying 10.1.1.2 ...
% Destination unreachable; gateway or host down
//Try authenticate with R2 to have access-list created ( dynamic )
R1#
R1#
R1#telnet 192.168.1.2
Trying 192.168.1.2 ... Open
User Access Verification
Username: TELNET
Password:
[Connection to 192.168.1.2 closed by foreign host]
/?Try again ( telnet to R3)
R1#telnet 10.1.1.2
Trying 10.1.1.2 ... Open
User Access Verification
Username: CISCO
Password:
R3>
// successfull
Show dynamic access-list on R2
R2#sh access-lists
Extended IP access list DYN_TELNET
10 Dynamic DYN_TELNET_ACCESS permit tcp any any eq telnet
permit tcp any any eq telnet (30 matches)
20 deny tcp any host 10.1.1.2 (3 matches)
30 permit ip any any (81 matches)
R2#
No comments:
Post a Comment