Greetings All, Sorry for the slightly off-topic question, but I suspect that this is an issue that others have faced or may soon face as ISP continue to push out more PPP-oriented networks. One of our customer's ISP is converting from static IP assignments to PPP IP assignments for all customers' Internet facing routers. This is creating a security problem that I do not know how to fix and for which the ISP is no help. Problem: how to ACL on a dynamic IP? Assume that we have the following (partial) configuration on a Cisco 2801 and are assigned the static netblock 1.2.3.0/29. This was what worked before the ISP made the change. ! Old config example interface serial0/2/0 ip address 1.2.3.1 255.255.255.248 ip nat outside ip access-group 110 in ... interface fastethernet0/0 ip address 172.17.100.254 255.255.255.0 ip nat inside ... ip nat pool localstatic 1.2.3.2 1.2.3.2 prefix 29 ip nat inside source list 1 pool localstatic overload ip nat inside source static tcp 172.17.100.22 22 1.2.3.5 12322 ip nat inside source static ... access-list 1 permit 172.17.100.0 0.0.0.255 access-list 1 deny any log access-list 110 permit tcp any 1.2.3.0 0.0.0.7 established access-list 110 permit tcp host a.b.c.d host 1.2.3.5 eq 12322 access-list 110 deny tcp any any log access-list 110 permit udp host d.n.s.1 eq 53 host 1.2.3.2 access-list 110 permit udp host d.n.s.1 host 1.2.3.2 eq 53 access-list 110 permit udp host n.t.p.1 eq 123 1.2.3.2 access-list 110 deny udp any any log access-list 110 permit icmp any host 1.2.3.2 echo-reply access-list 110 permit icmp any host 1.2.3.2 unreachable access-list 110 permit icmp any host 1.2.3.2 time-exceeded access-list 110 deny icmp any any log access-list 110 deny ip any any log In the new configuration, the serial0/2/0 interface now has a dynamic IP. How can I put ACLs on that IP that will permit NTP, DNS, and ICMP originating from within the router to work? Everything behind the router works, but anything generated by the router itself breaks (because the external IP is not permitted in an ACL). In the new configuration, this is the only change I made (other than PPP stuff): ! New config example interface serial0/2/0 ip address negotiated ip nat outside ip access-group 110 in ... Everything from behind the router continues to work fine. However, the router is unable to do NS lookups, set time, etc. Basically, all traffic to the dynamic IP is blocked. Is there a SIMPLE way to fix this problem AND keep the router secured? I have searched the Cisco site, and Google, and cannot seem to find an answer that I can fully comprehend. I thought that maybe 'ip nat outside' was my fix, but I could not get it to do what I expected. Thanks in advance for your help! Jon Kibler -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
There isn't a quick and easy answer but a more complex solution could be to use EEM w/ a TCL policy to monitor when/if the ip address changes and if it does reconfigure the ACL. ie: policy A every 10 seconds do 'sh int serial 0/2/0' did ip address change? no -> exit yes -> run policy B to reconfigure the ACL. Ask it over on cisco-nsp if you want to try it out. Rodney On Wed, May 31, 2006 at 04:02:49PM -0400, Jon R. Kibler wrote:
Greetings All,
Sorry for the slightly off-topic question, but I suspect that this is an issue that others have faced or may soon face as ISP continue to push out more PPP-oriented networks.
One of our customer's ISP is converting from static IP assignments to PPP IP assignments for
all customers' Internet facing routers. This is creating a security problem that I do not
know how to fix and for which the ISP is no help. Problem: how to ACL on a dynamic IP?
Assume that we have the following (partial) configuration on a Cisco 2801 and are assigned the static netblock 1.2.3.0/29. This was what worked before the ISP made the change.
! Old config example interface serial0/2/0 ip address 1.2.3.1 255.255.255.248 ip nat outside ip access-group 110 in ...
interface fastethernet0/0 ip address 172.17.100.254 255.255.255.0 ip nat inside ...
ip nat pool localstatic 1.2.3.2 1.2.3.2 prefix 29 ip nat inside source list 1 pool localstatic overload ip nat inside source static tcp 172.17.100.22 22 1.2.3.5 12322 ip nat inside source static ...
access-list 1 permit 172.17.100.0 0.0.0.255 access-list 1 deny any log
access-list 110 permit tcp any 1.2.3.0 0.0.0.7 established access-list 110 permit tcp host a.b.c.d host 1.2.3.5 eq 12322 access-list 110 deny tcp any any log access-list 110 permit udp host d.n.s.1 eq 53 host 1.2.3.2 access-list 110 permit udp host d.n.s.1 host 1.2.3.2 eq 53 access-list 110 permit udp host n.t.p.1 eq 123 1.2.3.2 access-list 110 deny udp any any log access-list 110 permit icmp any host 1.2.3.2 echo-reply access-list 110 permit icmp any host 1.2.3.2 unreachable access-list 110 permit icmp any host 1.2.3.2 time-exceeded access-list 110 deny icmp any any log access-list 110 deny ip any any log
In the new configuration, the serial0/2/0 interface now has a dynamic IP. How can I put ACLs on that IP that will permit NTP, DNS, and ICMP originating from within the router to work? Everything behind the router works, but anything generated by the router itself breaks (because the external IP is not permitted in an ACL).
In the new configuration, this is the only change I made (other than PPP stuff):
! New config example interface serial0/2/0 ip address negotiated ip nat outside ip access-group 110 in ...
Everything from behind the router continues to work fine. However, the router is unable to do NS lookups, set time, etc. Basically, all traffic to the dynamic IP is blocked. Is there a SIMPLE way to fix this problem AND keep the router secured?
I have searched the Cisco site, and Google, and cannot seem to find an answer that I can fully comprehend. I thought that maybe 'ip nat outside' was my fix, but I could not get it to do what I expected.
Thanks in advance for your help!
Jon Kibler -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214
================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
participants (2)
-
Jon R. Kibler
-
Rodney Dunn