Lock and Key,又称动态的ACL,此功能是依赖于认证(本地或远程),TELNET,和扩展ACL。
Lock and Key 的配置开始于扩展ACL阻止通过路由器的流量。要穿过路由器的用户被扩展ACL阻止,直到他们Telnet到路由器进行身份验证。 然后Telnet连接被丢弃,单个条目的动态ACL出现在扩展ACL中。配置中可以使用空闲时间和绝对超时时间只允许在特定的时间内的流量通过。
Lock and Key 本地认证的语法格式
username user-name password password interfaceip access-group {number|name} {in|out}
通过下面命令在认证通过后,动态增加单个ACL条目将出现在ACL
access-list access-list-number dynamic name {permit|deny} [protocol] {source source-wildcard|any} {destination destination-wildcard|any} [precedence precedence][tos tos][established] [log|log-input] [operator destination-port|destination port]
line vty line_range
login local
Lock and Key 的基本配置示例:
username test password 0 test
!--- 10分钟空闲时间.
username test autocommand access-enable host timeout 10
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip access-group 101 in
!
access-list 101 permit tcp any host 10.1.1.1 eq telnet
!--- 15分钟绝对超时时间.
access-list 101 dynamic testlist timeout 15 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
line vty 0 4
login local
在10.1.1.2的用户Telnet连接到10.1.1.1后,动态ACL将被应用,然后telnet连接被丢弃,然后用户可以访问172.16.1.x网络。
摘自: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#lockandkey
下面我们做一个相关实验
【实验说明】
在路由器配置,使得外部用户访问内外网络资源时,通过telnet 路由器进行认证。认证通过后方可访问
【实验拓扑】
IOS:
c2691-advsecurityk9-mz.124-11.T2.bin
【实验配置步骤】
- 将上图网络配置为IP-service中的 “Configuring Static NAT”
- 实验目标位允许远程用户访问内部网络,并且设置绝对超时以及空闲超时时间
- 配置 VTY 允许telnet
- 配置本地用户名与密码为cisco/cisco
- 配置该用户使用 autocommand “access-enable host timeout 5”,设置空闲超时时间为 5 分钟
- 创建扩展命名访问控制列表 INBOUND,允许OSPF、BGP、Telnet 流量
- 创建 dynamic list 条目 ACCESS timeout 时间为 10 分钟(绝对超时时间),并配置 “permit ip any any” 作为动态规则
- 在INBOUND 末尾拒绝所有流量并记录日志
【实验配置】
我们先来做基本网络的配置,
“Configuring Static NAT”
----------------------------------------Static NAT 配置----------------------------------------------------------------
R1:
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.4
R6:
interface FastEthernet0/0
ip address 10.0.0.6 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.4
R4:
interface Loopback0
ip address 150.1.4.4 255.255.255.0
ip ospf network point-to-point
!
interface FastEthernet0/0
ip address 10.0.0.4 255.255.255.0
ip nat inside
!
interface Serial0/0
en fram
no sh
!
interface Serial0/0.1 point-to-point
ip address 155.1.0.4 255.255.255.0
frame-relay interface-dlci 405
ip nat outside
!
interface Serial0/1
ip address 155.1.45.4 255.255.255.0
clock rate 2000000
ip nat outside
!
router ospf 1
router-id 150.1.4.4
network 150.1.4.4 0.0.0.0 area 0
network 155.1.0.4 0.0.0.0 area 0
network 155.1.45.4 0.0.0.0 area 0
!
router bgp 1
bgp router-id 150.1.4.4
neighbor 150.1.5.5 remote-as 2
neighbor 150.1.5.5 ebgp-multihop 255
neighbor 150.1.5.5 update-source Loopback0
ip nat inside source static 10.0.0.1 150.1.4.1
ip nat inside source static 10.0.0.6 150.1.4.6
|
R5:
interface Loopback0
ip address 150.1.5.5 255.255.255.0
ip ospf network point-to-point
!
interface Serial0/0
encapsulation frame-relay
!
interface Serial0/0.1 point-to-point
ip address 155.1.0.5 255.255.255.0
frame-relay interface-dlci 504
!
interface Serial0/1
ip address 155.1.45.5 255.255.255.0
clock rate 2000000
!
router ospf 1
router-id 150.1.5.5
network 150.1.5.5 0.0.0.0 area 0
network 155.1.0.5 0.0.0.0 area 0
network 155.1.45.5 0.0.0.0 area 0
!
router bgp 2
bgp router-id 150.1.5.5
neighbor 150.1.4.4 remote-as 1
neighbor 150.1.4.4 ebgp-multihop 255
neighbor 150.1.4.4 update-source Loopback0
neighbor 150.1.4.4 default-originate
|
--------------------------------------------访问控制列表配置------------------------------------------------------
然后开始动态ACL 配置
line vty 0 4
login local
!
username cisco password cisco
!-- 空闲时间5分钟,注意在 username cisco autocommand ? 后什么也看不出来,这不是ios没有这个命令
!-- 直接在后面输入access-enable host timeout 5
username cisco autocommand access-enable host timeout 5
!
ip access-list extended INBOUND
permit ospf any any
permit tcp any any eq bgp
permit tcp any eq bgp any
permit tcp any any eq telnet
!--配置动态acl规则为允许所有,绝对超时时间为10分钟
dynamic ACCESS timeout 10 permit ip any any
deny ip any any log
!
interface Serial 0/1
ip access-group INBOUND in
!
interface Serial 0/0.1
ip access-group INBOUND in
【实验验证】
我们先在R5上Ping R1的映射地址 150.1.4.1,看是否能通
R5#ping 150.1.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.4.1, timeout is 2 seconds:
U.U.U
结果不通,因为访问控制列表不允许icmp进入
Success rate is 0 percent (0/5)
然后我们进行telnet 认证
R5#telnet 150.1.4.4
Trying 150.1.4.4 ... Open
User Access Verification
Username: cisco
Password:cisco
[Connection to 150.1.4.4 closed by foreign host]
我们发现认证通过,并且通过后自动跳出telnet
R5#
R5#ping 150.1.4.1 认证通过后,再ping 就通了,然后我们看R4的访问控制列表
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/48/92 ms
R4#show access-list
Extended IP access list INBOUND
10 permit ospf any any (423 matches)
20 permit tcp any any eq bgp
30 permit tcp any eq bgp any (162 matches)
40 permit tcp any any eq telnet (147 matches)
50 Dynamic ACCESS permit ip any any
permit ip host 155.1.45.5 any (5 matches) (time left 283)
动态添加了一条host 155.1.45.5 到any的列表,并且能看到空闲超时时间,验证了动态acl
60 deny ip any any log (15 matches)