North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Cisco ACL question
Greetings All, Sorry for the slightly off-topic question, but I suspect that this is an issue that others have faced or may soon face as ISP continue to push out more PPP-oriented networks. One of our customer's ISP is converting from static IP assignments to PPP IP assignments for all customers' Internet facing routers. This is creating a security problem that I do not know how to fix and for which the ISP is no help. Problem: how to ACL on a dynamic IP? Assume that we have the following (partial) configuration on a Cisco 2801 and are assigned the static netblock 22.214.171.124/29. This was what worked before the ISP made the change. ! Old config example interface serial0/2/0 ip address 126.96.36.199 255.255.255.248 ip nat outside ip access-group 110 in ... interface fastethernet0/0 ip address 172.17.100.254 255.255.255.0 ip nat inside ... ip nat pool localstatic 188.8.131.52 184.108.40.206 prefix 29 ip nat inside source list 1 pool localstatic overload ip nat inside source static tcp 172.17.100.22 22 220.127.116.11 12322 ip nat inside source static ... access-list 1 permit 172.17.100.0 0.0.0.255 access-list 1 deny any log access-list 110 permit tcp any 18.104.22.168 0.0.0.7 established access-list 110 permit tcp host a.b.c.d host 22.214.171.124 eq 12322 access-list 110 deny tcp any any log access-list 110 permit udp host d.n.s.1 eq 53 host 126.96.36.199 access-list 110 permit udp host d.n.s.1 host 188.8.131.52 eq 53 access-list 110 permit udp host n.t.p.1 eq 123 184.108.40.206 access-list 110 deny udp any any log access-list 110 permit icmp any host 220.127.116.11 echo-reply access-list 110 permit icmp any host 18.104.22.168 unreachable access-list 110 permit icmp any host 22.214.171.124 time-exceeded access-list 110 deny icmp any any log access-list 110 deny ip any any log In the new configuration, the serial0/2/0 interface now has a dynamic IP. How can I put ACLs on that IP that will permit NTP, DNS, and ICMP originating from within the router to work? Everything behind the router works, but anything generated by the router itself breaks (because the external IP is not permitted in an ACL). In the new configuration, this is the only change I made (other than PPP stuff): ! New config example interface serial0/2/0 ip address negotiated ip nat outside ip access-group 110 in ... Everything from behind the router continues to work fine. However, the router is unable to do NS lookups, set time, etc. Basically, all traffic to the dynamic IP is blocked. Is there a SIMPLE way to fix this problem AND keep the router secured? I have searched the Cisco site, and Google, and cannot seem to find an answer that I can fully comprehend. I thought that maybe 'ip nat outside' was my fix, but I could not get it to do what I expected. Thanks in advance for your help! Jon Kibler -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.