Lock and Key

Here is the example I am following, pretty much to a T, except I am doing BGP for routing protocol and the topology is different.

Lock-and-Key: Dynamic Access Lists

Here is my topology:

[R1]----[R2]----[R3]

The goal is to prevent R1 from telnetting to R3 (172.12.23.3) unless it has authenticated to R2 first, via telnet. All configuration is on R2, but remember to configure your vty on R3.

First create a username and password on R2

R2(config)#username test password test

Next setup the router to allow access once telnet session is established:

R2(config)#line vty 0 4
R2(config-line)#autocommand access-enable
R2(config-line)#login local

Next create and apply the the ACL. Note that I am using BGP for a routing protocol and I need to allow that before anything else is configured.

R2(config)#access-list 120 permit tcp any any eq bgp
R2(config)#access-list 120 permit tcp any eq bgp any eq bgp
R2(config)#access-list 120 dynamic testlist timeout 15 permit ip any any
R2(config)#access-list 120 permit tcp any host 172.12.12.2 eq telnet
R2(config)#int s1/0
R2(config-if)#ip access-group 120 in

Let's try to telnet to R1 from R3:

R1#telnet 172.12.23.3
Trying 172.12.23.3 ...
% Destination unreachable; gateway or host down

R1#

Now let's telnet to R2 first, notice that our session gets dropped immediately:

R1#telnet 172.12.12.2
Trying 172.12.12.2 ... Open


User Access Verification

Username: test
Password:
[Connection to 172.12.12.2 closed by foreign host]
R1#

Now let's try and telnet to R3:

R1#telnet 172.12.23.3
Trying 172.12.23.3 ... Open


User Access Verification

Password:
R3>

Perfect! Some things to remember about lock and key are:

1) always allow your routing protocol at the top (lines 1 and 2 of the ACL)
2) allow telnet to the local router interface (line 4 of the above ACL)