Re: ACL's that use dynamic IP's as supplied by ISP.

RichardOfHERTS · ‎12-29-2010

I have a Cisco 877W router with outer interfaces ATM0 and Dialer0, that use a negotiated ip address that is supplied by my ISP and which is different every time I re-boot the router.

I have written ACL's that use domain names rather then static ip's for those websites that use ip addresses that change over time. In resolving these names the router goes off to the DNS and trys to fetch the ip addresses of said websites. However the syslog reports that the ACL's block the replies to the router's WAN ip address.

I am looking for a way of specifiying my dynamically allocated WAN ip address in ACL's, the sudo code for which would I imagine to be something like:

permit ip host WANADDRESS any

The trick being not having to hard code the WAN address into the ACL.

This issue only arises with the router. All the other devices on the LAN can use DNS and NTP without any issues.

Any ideas on how to work around this problem would be very much appreciated.

Regards

Richard

Marcin Latosiewicz · ‎12-30-2010

Richard,

A few questions pop to mind:

1) If it's filterinf for local users, why not apply it inbound on LAN interfaces?

2) If you need to allow traffic from router itself to be dynamically allowed.

CBAC+router-traffic option is what you should be looking into.

e.g.

Spoke1(config)#ip inspect name BLAH udp router-traffic

Marcin

RichardOfHERTS · ‎12-31-2010

Hello Marcin

Not sure what item 1 of your reply is getting at, but the traffic of interest should not be getting through to the LAN, as it's target/source device is the router itself.

Item 2 of your reply sounds nearer the mark, will certainly check it out. So thanks for that. But (and exuse me if this sounds daft as I'm new to the IOS) the word 'inspect' does'nt sound right (ie sounds like an intrusion detection/prevention action rather than a firewall action). What I thought I should be looking for would be along the lines of

'permit host ROUTER host www.webserver.com'

or

'permit host www.webserver.com host ROUTER'

Where ROUTER resolves to the dynamically allocated WAN ip address of the router.

Does this make more sense than my previous posting?

Regards

Richard.

Kureli Sankar · ‎12-31-2010

Richar,

If you use ZBF (zone based firewall) you can do that but, you rare doing CBAC and what you have mentioned (permit router to webserver and webserver to router) will be achieved with what Marcin provided.

-KS

RichardOfHERTS · ‎01-03-2011

Hello Poonguzhali

Please could you tell me if the 'inspect' command is a firewall operation or an IPS/IDS operation?

If it is a firewall operation, then how do restrictions on source and destination ip addresses get applied to router specific traffic?

I ask because I really do not want to open up all traffic addressed specifically to the router, as this may leave the router itself open to attack. Worst case being that traffic gets relayed via a malicious sniffer site.

Thanking you in anticipation

Regards

Richard.

cadet alain · ‎01-03-2011

Hi,

Please could you tell me if the 'inspect' command is a firewall operation or an IPS/IDS operation?

It is a firewall operation, it enables stateful firewall on router but you must permit outbound traffic to be inspected and deny everything inbound from internet except some traffic like icmp.

Regards.

Alain.

Don't forget to rate helpful posts.