Lock and Key (Dynamic Access-Lists)

Lock and Key allows us to dynamically change an access-list using the access-enable command.

Let us consider a simple topology of R4 Connected to R5 Connected to R6

R4 is representing a host device we're using with R5 as its default gateway with R5 and R6 having dynamic routing between them.

Relevant Config:

R4
hostname R4
interface FastEthernet0/0
 ip address 192.168.101.4 255.255.255.0
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.101.5


R5
hostname R5
username bob password 0 test
!
interface FastEthernet0/1
 description LAN Interface
 ip address 192.168.101.5 255.255.255.0
 ip access-group 104 in
 duplex auto
 speed auto
!
interface Loopback0
 ip address 5.5.5.5 255.255.255.255
!
access-list 104 permit tcp host 192.168.101.4 host 5.5.5.5 eq telnet
access-list 104 dynamic R4Telnet permit tcp host 192.168.101.4 any eq telnet
access-list 104 deny   tcp host 192.168.101.4 any eq telnet
!
line vty 0 4
 login local
 autocommand  access-enable timeout 5
!

We aren't showing R6's config or the routing with R5 as it's not relevant here

The interesting stuff in this example happens on R5

By default the dynamic lines in the access-list are ignored - so we can see that R4 can telnet into R5's Loopback0 but nowhere else.

R5#sh ip access-list
Extended IP access list 104
    10 permit tcp host 192.168.101.4 host 5.5.5.5 eq telnet
    20 Dynamic R4Telnet permit tcp host 192.168.101.4 any eq telnet
    30 deny tcp host 192.168.101.4 any eq telnet

When Someone telnets into R5 thanks to the autocommand line in the line vty 0 4 section, the access-enable command will enable the dynamic entry in the ACL for the period of time defined (5 minutes)

R4>telnet 5.5.5.5
Trying 5.5.5.5 ... Open


User Access Verification

Username: bob
Password:
[Connection to 5.5.5.5 closed by foreign host]

Lets see what has happened with the acl now

R5#sh ip access-list
Extended IP access list 104
    10 permit tcp host 192.168.101.4 host 5.5.5.5 eq telnet (47 matches)
    20 Dynamic R4Telnet permit tcp host 192.168.101.4 any eq telnet
       permit tcp host 192.168.101.4 any eq telnet
    30 deny tcp host 192.168.101.4 any eq telnet


We can see that line 20 is now active and will take precedence to the deny in line 30

R4>telnet 6.6.6.6
Trying 6.6.6.6 ... Open


User Access Verification

Username: bob
Password:

R6>


Looks good.  So What about that timeout business?

R5#sh ip access-list
Extended IP access list 104
    10 permit tcp host 192.168.101.4 host 5.5.5.5 eq telnet (47 matches)
    20 Dynamic R4Telnet permit tcp host 192.168.101.4 any eq telnet
       permit tcp host 192.168.101.4 any eq telnet (28 matches) (time left 297)
    30 deny tcp host 192.168.101.4 any eq telnet

We can see it counting down.  If we had wanted it so that the session would automatically extend beyond the initial 5 minutes indefinitely (but still timeout after 5 minutes of no activity) we add this to R5:

R5(config)#access-list dynamic-extended

Which would restart the time-out every time new traffic matched the dynamic acl entry.