A coworker recently came to me for help with an issue. We have a server sitting behind a router at one of our remote sites. Certain people need RDP access to this server, but we do not want it open to the world, this seems like an ideal scenario for Lock and Key access lists. Lock and Key ACLs are a way to permit temporary access to a resource. Static ACLs either allow or deny, they can create temporary openings to suit a specific need. In our example it will be a telnet server behind a router. Here’s the topology:

Here we see a host on one side of R1 (Fa0/0) and a server on the other side (Fa1/0). In this example we want very limited access to Telnet on that server. Here’s our config:

interface FastEthernet0/0
 description To Host
 ip address 192.168.1.1 255.255.255.0
 ip access-group Telnet in
!
interface FastEthernet1/0
 description To Server
 ip address 192.168.2.1 255.255.255.0
!
ip access-list extended Telnet
 dynamic allow_telnet permit tcp any host 192.168.2.2 eq telnet
 deny   tcp any host 192.168.2.2 eq telnet
 permit ip any any
!
username allow password 0 allow
username allow autocommand access-enable host timeout 10
Read more...