You
can verify that Lock and Key is successfully configured on the
router by asking a user to test the connection. The user should be
at a host that is permitted in the dynamic access list, and the user
should have AAA configured.
To test the connection, the user should Telnet to the router,
allow the Telnet session to close, and then attempt to access a host
on the other side of the router. This host must be one that is
permitted by the dynamic access list. The user should access the
host with an application that uses the IP protocol.
The following sample display illustrates what end users might see
if they are successfully authenticated. Notice that the Telnet
connection is closed immediately after the password is entered and
authenticated. The temporary access list entry is then created, and
the host that initiated the Telnet session now has access inside the
firewall.
command at the
router to view the dynamic access lists, which should include an
additional entry permitting the user access through the router.
Lock-and-Key Maintenance
When Lock and Key is in use, dynamic access lists will
dynamically grow and shrink as entries are added and deleted. You
need to make sure that entries are being deleted in a timely way,
because while entries exist, the risk of a spoofing attack is
present. Also, the more entries there are, the bigger the router
performance impact will be.
If you don't have an idle or absolute timeout configured, entries
will remain in the dynamic access list until you manually remove
them. If this is the case for you, make sure that you are extremely
vigilant about removing entries.
Display Dynamic Access-List Entries
You can display temporary access-list entries when they are in
use. After a temporary access list entry is cleared by you or by the
absolute or idle timeout parameter, it can no longer be displayed.
The number of matches displayed indicates the number of times the
access list entry was hit.
To view dynamic access lists and any temporary access list
entries that are currently established, perform the task shown
in Figure
in privileged EXEC mode.
Manually Delete Dynamic Access-List Entries
To manually delete a temporary access list entry, perform the task
shown in Figure
in privileged EXEC mode.