Configuring Dynamic Access Lists (Lock-and-Key Security)

A host (R1′s vlan network) to access a web server ( R2′s vlan network) on a remote box. Again this is basic as it is going to get.
First configure the access-list on R2 for the Dynamic ACL

• access-list 101 permit tcp any any eq 23 (we need to allow telnet through so we can authenticate. Now we can get away without this line here since we have permit ip any any at the bottom of the ACL. This will all depend on how you have to build out the ACL if you need this or not.)
• access-list 101 dynamic HTTP permit tcp any any eq 80 (we could specify a specific host that is allowed access here or a subnet but we want to allow anyone that can authenticate for this example.)
• access-list 101 deny tcp any any eq 80 (Here we are blocking access to anyone that doesn’t authenticate for web traffic.)
• access-list 101 permit ip any any (Here we are allowing the rest of the incoming traffic in.)

We need to configure login access now. Usually I would authenticate everyone against my active directory, but we will just use local login for this.

• username r1 password cisco

Need to apply the access-list on the incoming interface.

• int s0/0
• ip access-group 101 in

Now we just need to configure the telnet lines

• line vty 0 4
• login local
• autocommand access-enable

Just need to telnet to r2 and authenticate and then we will have access to the web server on the remote end.
This is what our access-list should look like once we have authenticated:
10 permit tcp any any eq telnet (183 matches)
20 Dynamic HTTP permit tcp any any eq www
permit tcp any any eq www (72 matches)
30 deny tcp any any eq www (9 matches)
40 permit ip any any
Notice the line statement under line 20. This is showing that the dynamic acl is active.
If you want to clear the access-list you need to use this command:
clear access-template [access-list-number | name] [dynamic-name] [source] [destination]