Cisco ACL question

• Previous message (by thread): Control Plane Policing
• Next message (by thread): The Cidr Report
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There isn't a quick and easy answer but a more
complex solution could be to use EEM w/
a TCL policy to monitor when/if the ip address changes
and if it does reconfigure the ACL.

ie:

policy A
 every 10 seconds do 'sh int serial 0/2/0'
   did ip address change?
     no -> exit
     yes -> run policy B to reconfigure the ACL.

Ask it over on cisco-nsp if you want to try it out.

Rodney
 
 
On Wed, May 31, 2006 at 04:02:49PM -0400, Jon R. Kibler wrote:
> Greetings All,
> 
> Sorry for the slightly off-topic question, but I suspect that this is an issue that others
> have faced or may soon face as ISP continue to push out more PPP-oriented networks.
> 
> One of our customer's ISP is converting from static IP assignments to PPP IP assignments for 
> 
> all customers' Internet facing routers. This is creating a security problem that I do not 
> 
> know how to fix and for which the ISP is no help. Problem: how to ACL on a dynamic IP?
> 
> Assume that we have the following (partial) configuration on a Cisco 2801 and are assigned 
> the static netblock 1.2.3.0/29. This was what worked before the ISP made the change.
> 
> ! Old config example
> interface serial0/2/0
>  ip address 1.2.3.1 255.255.255.248
>  ip nat outside
>  ip access-group 110 in
>  ...
> 
> interface fastethernet0/0
>  ip address 172.17.100.254 255.255.255.0
>  ip nat inside
>  ...
> 
> ip nat pool localstatic 1.2.3.2 1.2.3.2 prefix 29
> ip nat inside source list 1 pool localstatic overload
> ip nat inside source static tcp 172.17.100.22 22 1.2.3.5 12322
> ip nat inside source static ...
> 
> access-list 1 permit 172.17.100.0 0.0.0.255
> access-list 1 deny   any log
> 
> access-list 110 permit tcp any 1.2.3.0 0.0.0.7 established
> access-list 110 permit tcp host a.b.c.d host 1.2.3.5 eq 12322
> access-list 110 deny   tcp any any log
> access-list 110 permit udp host d.n.s.1 eq 53 host 1.2.3.2
> access-list 110 permit udp host d.n.s.1 host 1.2.3.2 eq 53
> access-list 110 permit udp host n.t.p.1 eq 123 1.2.3.2
> access-list 110 deny   udp any any log
> access-list 110 permit icmp any host 1.2.3.2 echo-reply
> access-list 110 permit icmp any host 1.2.3.2 unreachable
> access-list 110 permit icmp any host 1.2.3.2 time-exceeded
> access-list 110 deny   icmp any any log
> access-list 110 deny   ip any any log
> 
> 
> In the new configuration, the serial0/2/0 interface now has a dynamic IP. How can I put 
> ACLs on that IP that will permit NTP, DNS, and ICMP originating from within the router 
> to work? Everything behind the router works, but anything generated by the router itself
> breaks (because the external IP is not permitted in an ACL).
> 
> In the new configuration, this is the only change I made (other than PPP stuff):
> 
> ! New config example
> interface serial0/2/0
>  ip address negotiated
>  ip nat outside
>  ip access-group 110 in
>  ...
> 
> 
> Everything from behind the router continues to work fine. However, the router is unable to
> do NS lookups, set time, etc. Basically, all traffic to the dynamic IP is blocked. Is there
> a SIMPLE way to fix this problem AND keep the router secured?
> 
> I have searched the Cisco site, and Google, and cannot seem to find an answer that I can
> fully comprehend. I thought that maybe 'ip nat outside' was my fix, but I could not get it
> to do what I expected.
> 
> Thanks in advance for your help!
> 
> Jon Kibler
> -- 
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC  USA
> (843) 849-8214
> 
> 
> 
> 
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
> 

• Previous message (by thread): Control Plane Policing
• Next message (by thread): The Cidr Report
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]