Cisco ACL question

• Previous message (by thread): apops sep 4-8 kaohsiung, taiwan
• Next message (by thread): Drone Armies C&C Report - 31 May 2006
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings All,

Sorry for the slightly off-topic question, but I suspect that this is an issue that others
have faced or may soon face as ISP continue to push out more PPP-oriented networks.

One of our customer's ISP is converting from static IP assignments to PPP IP assignments for 

all customers' Internet facing routers. This is creating a security problem that I do not 

know how to fix and for which the ISP is no help. Problem: how to ACL on a dynamic IP?

Assume that we have the following (partial) configuration on a Cisco 2801 and are assigned 
the static netblock 1.2.3.0/29. This was what worked before the ISP made the change.

! Old config example
interface serial0/2/0
 ip address 1.2.3.1 255.255.255.248
 ip nat outside
 ip access-group 110 in
 ...

interface fastethernet0/0
 ip address 172.17.100.254 255.255.255.0
 ip nat inside
 ...

ip nat pool localstatic 1.2.3.2 1.2.3.2 prefix 29
ip nat inside source list 1 pool localstatic overload
ip nat inside source static tcp 172.17.100.22 22 1.2.3.5 12322
ip nat inside source static ...

access-list 1 permit 172.17.100.0 0.0.0.255
access-list 1 deny   any log

access-list 110 permit tcp any 1.2.3.0 0.0.0.7 established
access-list 110 permit tcp host a.b.c.d host 1.2.3.5 eq 12322
access-list 110 deny   tcp any any log
access-list 110 permit udp host d.n.s.1 eq 53 host 1.2.3.2
access-list 110 permit udp host d.n.s.1 host 1.2.3.2 eq 53
access-list 110 permit udp host n.t.p.1 eq 123 1.2.3.2
access-list 110 deny   udp any any log
access-list 110 permit icmp any host 1.2.3.2 echo-reply
access-list 110 permit icmp any host 1.2.3.2 unreachable
access-list 110 permit icmp any host 1.2.3.2 time-exceeded
access-list 110 deny   icmp any any log
access-list 110 deny   ip any any log


In the new configuration, the serial0/2/0 interface now has a dynamic IP. How can I put 
ACLs on that IP that will permit NTP, DNS, and ICMP originating from within the router 
to work? Everything behind the router works, but anything generated by the router itself
breaks (because the external IP is not permitted in an ACL).

In the new configuration, this is the only change I made (other than PPP stuff):

! New config example
interface serial0/2/0
 ip address negotiated
 ip nat outside
 ip access-group 110 in
 ...


Everything from behind the router continues to work fine. However, the router is unable to
do NS lookups, set time, etc. Basically, all traffic to the dynamic IP is blocked. Is there
a SIMPLE way to fix this problem AND keep the router secured?

I have searched the Cisco site, and Google, and cannot seem to find an answer that I can
fully comprehend. I thought that maybe 'ip nat outside' was my fix, but I could not get it
to do what I expected.

Thanks in advance for your help!

Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

• Previous message (by thread): apops sep 4-8 kaohsiung, taiwan
• Next message (by thread): Drone Armies C&C Report - 31 May 2006
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]