10.6 Configuration Lock-and-Key Security (Dynamic Access Lists)
10.6.3 Verify Lock-and-Key configuration
You can verify that Lock and Key is successfully configured on the router by asking a user to test the connection. The user should be at a host that is permitted in the dynamic access list, and the user should have AAA configured.

To test the connection, the user should Telnet to the router, allow the Telnet session to close, and then attempt to access a host on the other side of the router. This host must be one that is permitted by the dynamic access list. The user should access the host with an application that uses the IP protocol.

The following sample display illustrates what end users might see if they are successfully authenticated. Notice that the Telnet connection is closed immediately after the password is entered and authenticated. The temporary access list entry is then created, and the host that initiated the Telnet session now has access inside the firewall.

Router% telnet corporate
Trying 172.21.52.1 ...
Connected to corporate.abc.com.
Escape character is `^]'.
User Access Verification
Password:Connection closed by foreign host.

You can then use the show access-lists command at the router to view the dynamic access lists, which should include an additional entry permitting the user access through the router.

Lock-and-Key Maintenance

When Lock and Key is in use, dynamic access lists will dynamically grow and shrink as entries are added and deleted. You need to make sure that entries are being deleted in a timely way, because while entries exist, the risk of a spoofing attack is present. Also, the more entries there are, the bigger the router performance impact will be.

If you don't have an idle or absolute timeout configured, entries will remain in the dynamic access list until you manually remove them. If this is the case for you, make sure that you are extremely vigilant about removing entries.

Display Dynamic Access-List Entries

You can display temporary access-list entries when they are in use. After a temporary access list entry is cleared by you or by the absolute or idle timeout parameter, it can no longer be displayed. The number of matches displayed indicates the number of times the access list entry was hit.

To view dynamic access lists and any temporary access list entries that are currently established, perform the task shown in  Figure in privileged EXEC mode.

Manually Delete Dynamic Access-List Entries

To manually delete a temporary access list entry, perform the task shown in Figure in privileged EXEC mode.