Greetings All,
Sorry for the slightly off-topic question, but I suspect that this is an issue that others
have faced or may soon face as ISP continue to push out more PPP-oriented networks.
One of our customer's ISP is converting from static IP assignments to PPP IP assignments for
all customers' Internet facing routers. This is creating a security problem that I do not
know how to fix and for which the ISP is no help. Problem: how to ACL on a dynamic IP?
Assume that we have the following (partial) configuration on a Cisco 2801 and are assigned
the static netblock 1.2.3.0/29. This was what worked before the ISP made the change.
! Old config example
interface serial0/2/0
ip address 1.2.3.1 255.255.255.248
ip nat outside
ip access-group 110 in
...
interface fastethernet0/0
ip address 172.17.100.254 255.255.255.0
ip nat inside
...
ip nat pool localstatic 1.2.3.2 1.2.3.2 prefix 29
ip nat inside source list 1 pool localstatic overload
ip nat inside source static tcp 172.17.100.22 22 1.2.3.5 12322
ip nat inside source static ...
access-list 1 permit 172.17.100.0 0.0.0.255
access-list 1 deny any log
access-list 110 permit tcp any 1.2.3.0 0.0.0.7 established
access-list 110 permit tcp host a.b.c.d host 1.2.3.5 eq 12322
access-list 110 deny tcp any any log
access-list 110 permit udp host d.n.s.1 eq 53 host 1.2.3.2
access-list 110 permit udp host d.n.s.1 host 1.2.3.2 eq 53
access-list 110 permit udp host n.t.p.1 eq 123 1.2.3.2
access-list 110 deny udp any any log
access-list 110 permit icmp any host 1.2.3.2 echo-reply
access-list 110 permit icmp any host 1.2.3.2 unreachable
access-list 110 permit icmp any host 1.2.3.2 time-exceeded
access-list 110 deny icmp any any log
access-list 110 deny ip any any log
In the new configuration, the serial0/2/0 interface now has a dynamic IP. How can I put
ACLs on that IP that will permit NTP, DNS, and ICMP originating from within the router
to work? Everything behind the router works, but anything generated by the router itself
breaks (because the external IP is not permitted in an ACL).
In the new configuration, this is the only change I made (other than PPP stuff):
! New config example
interface serial0/2/0
ip address negotiated
ip nat outside
ip access-group 110 in
...
Everything from behind the router continues to work fine. However, the router is unable to
do NS lookups, set time, etc. Basically, all traffic to the dynamic IP is blocked. Is there
a SIMPLE way to fix this problem AND keep the router secured?
I have searched the Cisco site, and Google, and cannot seem to find an answer that I can
fully comprehend. I thought that maybe 'ip nat outside' was my fix, but I could not get it
to do what I expected.
Thanks in advance for your help!
Jon Kibler