Dynamic Access Lists Explained

Dynamic Access Lists solve a different problem that traditional ACLs cannot solve quickly. Imagine a few users accessing a set of servers. ACLs match user host IP addresses. The legitimate user’s IP address changes if she borrows a PC, uses DHCP, takes her laptop home, etc. Each new IP address requires editing a traditional ACL. This caused painful administration and security holes.

The steps to establishing a dynamic access list are as follows

• The user Telnets to the router.
• The router verifies the user’s username/password against a list.
• After authentication, the router dynamically adds a host-sourced ACL entry.
• The router delivers permitted host packets to the server.

Let’s do a lab to understand Dynamic Access Lists further

let’s create two users in IOS-FW router.

IOS-FW(config)#username user1 password pwd1
IOS-FW(config)#username user2 password pwd2

Now try to telnet IOS-FW routers e0/0 ( 99.1.1.1 ) from PC-02

PC-02#telnet 99.1.1.254
Trying 99.1.1.254 ...
% Connection refused by remote host

let’s enable telnet on IOS-FW using the following commands

IOS-FW(config)#line vty 0 4
IOS-FW(config-line)#login local
IOS-FW(config-line)#transport input telnet

Once the above commands are executed on IOS-FW try to telnet again from PC-02

PC-02#telnet 99.1.1.254
Trying 99.1.1.254 ... Open


User Access Verification

Username: user1
Password:
IOS-FW>
IOS-FW>

We can see that PC-02 and WEB-SERVR-1 can create a telnet session. The next step is to make the dynamic ACL entries and apply them to the appropriate interface.

IOS-FW(config)#ip access-list extended DYN-ACL
IOS-FW(config-ext-nacl)#permit tcp any host 99.1.1.1 eq telnet
IOS-FW(config-ext-nacl)#permit tcp any any established
IOS-FW(config-ext-nacl)#dynamic DACL timeout 3 permit ip any any
!
IOS-FW(config)#int Ethernet 0/0
IOS-FW(config-if)#ip access-group DYN-ACL in

You’ll notice that we cannot connect to the 10.1.1.0/24 network from any hosts outside once the ACL has been applied to the e0/0 interface.

Note

” dynamic DACL timeout 3 permit ip any any ” – The word “timeout” in this command determines how long the dynamic entry will remain active on the IOS-FW router. In our case, the duration is three minutes.

PC-02#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
PC-02#
!-------------
WEB-SERVER-1#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

ghj

IOS-FW(config)#line vty 0 4
IOS-FW(config-line)#autocommand access-enable host

The command “autocommand”

The autocommand command configures the system to execute a privileged EXEC command when a user connects to a line. Configure autocommand using these guidelines:

TACACS+ servers should have per-user autocommand commands. Use line autocommand for local authentication.

Autocommand all VTY ports. Omitting an autocommand command on a VTY port allows a random host to gain privileged EXEC mode access to the router without creating a temporary dynamic access list entry.

If the autocommand access-enable command does not define an idle timeout, the access-list command must define an absolute timeout. If you don’t set an idle or absolute timeout, the temporary access list entry will stay on the interface even after the user logs out until an administrator removes it. You can set idle and absolute timeouts. Absolute timeouts must be greater than idle timeouts.

Since all building blocks for a dynamic ACL have been entered, let’s see how this plays out in practice. We will attempt authentication using a user id created in IOS-FW.

PC-02#telnet 99.1.1.254
Trying 99.1.1.254 ... Open


User Access Verification

Username: user1
Password:
[Connection to 99.1.1.254 closed by foreign host]

In the IOS-FW router, we are authenticated with a username and password. Let’s ping the internal interface.

PC-02#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/7 ms

PC-02#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/7 ms

PC-02#telnet 10.1.1.1 80
Trying 10.1.1.1, 80 ... Open

As can be seen, PC-2 can connect to the 10.1.1.0/24 network. In the past, we were unable to. What was modified in the ACL?

IOS-FW#show access-lists
Extended IP access list DYN-ACL
    10 permit tcp any host 99.1.1.254 eq telnet (60 matches)
    20 permit tcp any any established
    30 Dynamic DACL permit ip any any
       permit ip host 99.1.1.2 any

A dynamic entry created allows host 99.1.1.2 (PC-02) to access 10.1.1.0/24 network. Can we initiate a communication from WEB-SERVER-1, which is also in the outside network?

WEB-SERVER-1#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
WEB-SERVER-1#

From 99.1.1.1 (WEB-SERVER-1), we can’t get to the internal network, but from 99.1.1.2 (PC-02), we can. Let’s log in to the IOS-FW router from WEB-SERVER-1 with a different user ID and see what happens to dynamic ACL.

WEB-SERVER-1#telnet 99.1.1.254
Trying 99.1.1.254 ... Open


User Access Verification

Username: user2
Password:
[Connection to 99.1.1.254 closed by foreign host]

IOS-FW#show access-lists
Extended IP access list DYN-ACL
    10 permit tcp any host 99.1.1.254 eq telnet (117 matches)
    20 permit tcp any any established (14 matches)
    30 Dynamic DACL permit ip any any
       permit ip host 99.1.1.1 any (5 matches)
       permit ip host 99.1.1.2 any (1 match)
IOS-FW#

Now, resources in the outside network can reach internal resources in the 10.1.1.0/24 network.

A couple of notes on dynamic access lists

• Create one dynamic access list per access list. Software only uses the first dynamic access list.
• Avoid giving another access list the same dynamic name. Doing so instructs the software to reuse the existing list. The configuration must have globally unique names.
• Assign attributes to a dynamic access list like a static one. Temporary access list entries inherit list attributes.
• Users must authenticate via Telnet before accessing the router.
• Define an idle timeout now with the timeout keyword in the auto command’s access-enable command, or define an absolute timeout later with the access-list command. If you don’t set an idle or absolute timeout, the temporary access list entry will stay on the interface even after the user logs out until an administrator removes it. You can set idle and absolute timeouts.
• The idle timeout value should match the WAN idle timeout. Both idle and absolute timeouts must be less than each other.
• Use the access-list dynamic-extend command to extend the dynamic ACL’s absolute timer by six minutes if a job exceeds it. This command opens a new Telnet session into the router for lock-and-key authentication.
• The only values replaced in the temporary entry are the source or destination address, depending on whether the access list was in the input or output access list. The main dynamic access list inherits all attributes, including port.
• The dynamic list always starts with each addition. Temporary access list entries are unorderable.
• NVRAM never stores temporary access list entries.

Read my post on the reflexive ACL here