Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
4
Helpful
2
Replies

Question to Cisco 877 ddns and access-list

bdonleitner
Level 1
Level 1

‎08-16-2015 10:32 AM - edited ‎03-05-2019 02:04 AM

Hello

According this link I configured ddns on my Cisco 877W router but it didn´t work

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/15-mt/dns-15-mt-book/dns-dyn-dns-supp-ios.html

With debug ip ddns I get the following information:

 

*Sep 21 16:03:07.818: DYNDNSUPD: Adding DNS mapping for xxxx.no-ip.org <=> 80.121.93.40

*Sep 21 16:03:07.818: HTTPDNS: Update add called for xxxx.no-ip.org <=> 80.121.93.40

*Sep 21 16:03:07.818: HTTPDNSUPD: Session ID = 0xD

*Sep 21 16:03:07.818: HTTPDNSUPD: URL = 'http://xxxx:xxxx@dynupdate.no-ip.com/nic/update?hostname=xxxx.no-ip.org&myip=80.121.93.40'

*Sep 21 16:03:07.818: HTTPDNSUPD: Sending request

*Sep 21 16:03:07.818: http_client_request:

*Sep 21 16:03:07.818: httpc_setup_request:

*Sep 21 16:03:07.818: http_client_process_request:

httpc_request: Have the credentials

*Sep 21 16:03:08.038: %SEC-6-IPACCESSLOGP: list 111 denied tcp 8.23.224.120(80) -> 80.121.93.40(58181), 1 packet

*Sep 21 16:03:17.131: %SEC-6-IPACCESSLOGP: list 111 denied tcp 157.56.116.202(12350) -> 80.121.93.40(37922), 1 packet

*Sep 21 16:03:27.852: HTTPDNSUPD: Call returned Connection time out, update of bedo1976.no-ip.org <=> 80.121.93.40 failed

 

I recognized, that the access-list 111 denied the traffic from no-ip.org at port 80.

 

After I configured incomming access on port 80:

access-list 111 permit tcp any eq 80 any log

ddns update was successful:

 

*Sep 21 16:13:10.818: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 8.23.224.120(80) -> 80.121.93.40(50667), 1 packet  http_cfs_file_put: Authentication                     pending.

*Sep 21 16:13:11.014: Tue, 21 Sep 2010 16:13:11 GMT 80.121.93.40 http://dynupdate.no-ip.com/nic/update?hostname=xxxx.no-ip.org&myip=80.121.93.40 ok

        Protocol = HTTP/1.0

*Sep 21 16:13:11.014:   Content-Type = text/html; charset=UTF-8

        Content-Length = 47

        Date = Sun, 16 Aug 2015 09:56:35 GMT

*Sep 21 16:13:11.414: Tue, 21 Sep 2010 16:13:11 GMT 80.121.93.40 http://dynupdate.no-ip.com/nic/update?hostname=xxxx.no-ip.org&myip=80.121.93.40 ok

        Protocol = HTTP/1.1

*Sep 21 16:13:11.414:   Content-Type = text/plain; charset=UTF-8

        Content-Length = 18

        Date = Sun, 16 Aug 2015 09:56:35 GMT

 

*Sep 21 16:13:11.418: HTTPDNSUPD: Response for update xxxxx.no-ip.org <=> 80.121.93.40

*Sep 21 16:13:11.418: HTTPDNSUPD: DATA START

nochg 80.121.93.40

*Sep 21 16:13:11.418: HTTPDNSUPD: DATA END, Status is Response data recieved, successfully

*Sep 21 16:13:11.418: HTTPDNSUPD: Call returned SUCCESS, update of xxxx.no-ip.org <=> 80.121.93.40 succeeded

 

But I don´t understand, why I need an acl for the incomming http message from no-ip.org. In my oppinion first the 877 send an http message to no-ip and the back answer in the same http session should not need an additional firewall entry. And where is there no hint in the cisco documentation to enalbe incomming acl for http ddns response? Is this a feature, that I realy need an acl for configuring ddns or is ths a bug? Or did I configured someting else that make it neccessary enalbing incomming ddns traffic?

I also found a similar discussion but with no final answer:

https://supportforums.cisco.com/discussion/11180846/cisco-877-ntp-and-ddns-problems

The configuration I attached on this request.

Thanks for your help.

 

1 person had this problem
Labels:
Preview file
5 KB
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎08-17-2015 12:14 PM

The issue is that CBAC does not by default check packets generated by the router itself ie. it only works for traffic passing through the router.

Did you try the suggestion in that other thread ie. add to your configuration the "router-traffic" keyword to tell the router to inspect traffic it generates.

Note I don't have a router running CBAC so it's unclear whether adding "ip inspect tcp router-traffic timeout 3600"  will add another line or by the looks of it overwrite you existing line.

It's also not clear whether the above line actually still includes TCP traffic going through the router but I suspect it does.

Finally even with that it didn't seem to work for the other poster but you may at least want to try it otherwise you will need your acl entry.

So no guarantees and test this out of hours.

Jon

bdonleitner
Level 1
Level 1
In response to Jon Marshall

‎08-18-2015 11:29 AM

Hi Jon

What you are writing sound logically and clear. Thanks for you decleration. I´ll test router-traffic. And if it doesn´t work I configure an incomming ACL to the public IP of no-ip.

 

Best Regards

Bernhard

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card