12-29-2010 02:57 PM - edited 03-11-2019 12:28 PM
I have a Cisco 877W router with outer interfaces ATM0 and Dialer0, that use a negotiated ip address that is supplied by my ISP and which is different every time I re-boot the router.
I have written ACL's that use domain names rather then static ip's for those websites that use ip addresses that change over time. In resolving these names the router goes off to the DNS and trys to fetch the ip addresses of said websites. However the syslog reports that the ACL's block the replies to the router's WAN ip address.
I am looking for a way of specifiying my dynamically allocated WAN ip address in ACL's, the sudo code for which would I imagine to be something like:
permit ip host WANADDRESS any
The trick being not having to hard code the WAN address into the ACL.
This issue only arises with the router. All the other devices on the LAN can use DNS and NTP without any issues.
Any ideas on how to work around this problem would be very much appreciated.
Regards
Richard
12-30-2010 04:30 PM
Richard,
A few questions pop to mind:
1) If it's filterinf for local users, why not apply it inbound on LAN interfaces?
2) If you need to allow traffic from router itself to be dynamically allowed.
CBAC+router-traffic option is what you should be looking into.
e.g.
Spoke1(config)#ip inspect name BLAH udp router-traffic
Marcin
12-31-2010 06:00 AM
Hello Marcin
Not sure what item 1 of your reply is getting at, but the traffic of interest should not be getting through to the LAN, as it's target/source device is the router itself.
Item 2 of your reply sounds nearer the mark, will certainly check it out. So thanks for that. But (and exuse me if this sounds daft as I'm new to the IOS) the word 'inspect' does'nt sound right (ie sounds like an intrusion detection/prevention action rather than a firewall action). What I thought I should be looking for would be along the lines of
'permit host ROUTER host www.webserver.com'
or
'permit host www.webserver.com host ROUTER'
Where ROUTER resolves to the dynamically allocated WAN ip address of the router.
Does this make more sense than my previous posting?
Regards
Richard.
12-31-2010 06:14 AM
Richar,
If you use ZBF (zone based firewall) you can do that but, you rare doing CBAC and what you have mentioned (permit router to webserver and webserver to router) will be achieved with what Marcin provided.
-KS
01-03-2011 05:19 AM
Hello Poonguzhali
Please could you tell me if the 'inspect' command is a firewall operation or an IPS/IDS operation?
If it is a firewall operation, then how do restrictions on source and destination ip addresses get applied to router specific traffic?
I ask because I really do not want to open up all traffic addressed specifically to the router, as this may leave the router itself open to attack. Worst case being that traffic gets relayed via a malicious sniffer site.
Thanking you in anticipation
Regards
Richard.
01-03-2011 06:19 AM
Hi,
Please could you tell me if the 'inspect' command is a firewall operation or an IPS/IDS operation?
It is a firewall operation, it enables stateful firewall on router but you must permit outbound traffic to be inspected and deny everything inbound from internet except some traffic like icmp.
Regards.
Alain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide