04-02-2010 01:57 PM - edited 03-03-2019 05:54 AM
I have a router that is connected to a cable ISP. My external interface receives its address from my ISP via DHCP
(Interface FastEthernet 0/0
ip address DHCP).
My question-- is there a way to make an ACL that uses that address? Meaning that the ACL changes when that address does?
04-02-2010 07:23 PM
No, you can't configure access-list to reference to the DHCP assigned ip address dynamically.
However, if you configure NAT statement to translate the interface ip to an internal server, that would only allow access to the current assigned ip address anyway.
Hope that answers your question.
04-02-2010 07:38 PM
How would you do that?
04-02-2010 08:03 PM
Can you advise what you are trying to achieve with the access-list on the outside interface? ie: what traffic you would like to allow and deny?
04-08-2010 10:05 AM
Sorry its taken so long to get back with you, but I want deny traffic with the same address as a source (spoofed traffic) and I want to allow ssh to it (this only temporary, until I can get my openVPN server working correctly. Which brings me to another question-- if I put the ip nat inside static commands on (forwarding the ports for openVPN) and permit access for those ports to my server (ie-- permit tcp any host 192.168.0.5 eq 1194), will it permit it or not? I ask this because my vpn client will obviously be targeting the external address, so without an access-list to permit that to the interface does the nat rule combined with the ACL permit allow it through (and I really don't want to put any as the destination). Or is that what you are telling me halijenn ?
04-08-2010 10:29 PM
For SSH access to the router, you can configure standard access-list and assign it to "line vty" to only allow specific ip address to SSH into the router.
For port forwarding, the NAT statement will be to port forward traffic coming to the interface on specific port, hence even if you configure access-list to permit to destination any with the port#, it will only allow inbound traffic towards 1 server that you configure the nat translation on. Even if you configure "permit ip any any" ACL, if you do not have NAT translation for it, traffic won't be able to traverse in.
04-09-2010 08:51 AM
I've got everything else working (including ssh from my internal network) so I'm only posting configs directly related to the issues I'm wanting to resolve (IE trying to keep it short, sweet and to the point)...
So my NAT rules will need to be as follows, are they correct (I also want 443 to that as well)?
ip nat inside source list 102 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.5 443 interface FastEthernet0/1 443
ip nat inside source static udp 192.168.0.5 1194 interface FastEthernet0/1 1194
And then my access list entries will need to be as follows, correct?
ip access-list extended inboundfilters
permit tcp any any eq 443
permit udp any any eq 1194
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 permit tcp "work's public IP" any eq ssh
Finally, I would apply 103 to line vty, I'm assuming it would be a access-group like so: (Do I need to apply the same access-group in on the external interface?)
interface FastEthernet0/1
description Web-Facing
ip access-group inboundfilters in
ip access-group 103 in
ip nat outside
Line vty 0 4
ip access-group 103 in
04-09-2010 08:59 AM
If I apply 103 to my line vty then I'll have to add my private network as well so I'll just want to add permit tcp "work's public IP" any eq ssh to my inboundfilters access-list, then not put the access-group 103 on the external interface, and add the line permit tcp 192.168.0.0 0.0.0.255 any eq ssh to ACL 103 (I'll have to make it extended of course).
04-09-2010 03:40 PM
The NAT statement is correct, and the inboundfilters ACL is also correct.
However you can not apply 2 ACLs on 1 interface:
interface FastEthernet0/1
description Web-Facing
ip access-group inboundfilters in
ip access-group 103 in <------ needs to be removed
ip nat outside
For line vty 0 4, you can just configure standard ACL:
access-list 5 permit host
line vty 0 4
access-class 5 in
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide