04-23-2005 04:12 PM
I have a Cisco 804 that I want to simply set an access list on the vty lines to allow telnet from "outside". My ISP provides dynamic IP to the outside interface, so mapping that interface IP address isn't really an option. Can I somehow resolve my hostname to my outside host that I use for telnet? Following is my current running-config.
sh running-config
Building configuration...
Current configuration:
!
! Last configuration change at 17:46:56 UTC Sat Apr 23 2005
! NVRAM config last updated at 17:47:04 UTC Sat Apr 23 2005
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 804RouterCLIcfg
!
no logging monitor
enable secret xxxx
!
!
!
!
!
!
!
--More-- ip subnet-zero
!
ip dhcp pool DHCPpoolLAN_0
network 192.168.0.0 255.255.255.0
dns-server 216.229.xx.xx 216.229.xx.x 192.168.x.xx
default-router 192.168.x.x
!
ip host [name xxx] 0.0.0.0 255.255.255.255
ip host 804Router 192.168.x.x
ip name-server 216.229.xx.xx
isdn switch-type basic-ni
!
!
!
interface Ethernet0
ip address 192.168.x.x 255.255.255.0
ip nat inside
!
interface BRI0
bandwidth 160
no ip address
encapsulation ppp
dialer pool-member 1
--More-- isdn switch-type basic-ni
isdn spid1 xxxxxxxxxxxxxx
isdn spid2 xxxxxxxxxxxxxx
no cdp enable
ppp authentication chap pap callin
ppp multilink
!
interface Dialer1
bandwidth 160
ip address negotiated
ip access-group 110 in
ip nat outside
encapsulation ppp
dialer pool 1
dialer idle-timeout 300
dialer string xxxxxxx
dialer hold-queue 10
dialer load-threshold 2 either
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxx
ppp chap password xxxx
ppp pap sent-username xxxxxx password xxxx
--More-- ppp multilink
!
ip nat inside source list 1 interface Dialer1 overload
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no logging trap
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 110 deny icmp any any echo
access-list 110 deny tcp any any range ftp 22
access-list 110 deny tcp any any eq smtp
access-list 110 deny tcp any any range 50 51
access-list 110 deny tcp any any eq domain
access-list 110 deny tcp any any range www 81
access-list 110 deny tcp any any eq pop3
access-list 110 deny tcp any any eq ident
access-list 110 deny tcp any any eq 143
access-list 110 deny tcp any any eq 259
access-list 110 deny tcp any any eq 389
access-list 110 deny tcp any any eq 443
access-list 110 deny tcp any any eq 449
access-list 110 deny tcp any any eq 500
--More-- access-list 110 deny tcp any any eq 522
access-list 110 deny tcp any any range 1024 1055
access-list 110 deny tcp any any eq 1720
access-list 110 deny tcp any any eq 5000
access-list 110 permit ip any any
access-list 111 deny udp any eq netbios-dgm any
access-list 111 deny udp any eq netbios-ns any
access-list 111 deny udp any eq netbios-ss any
access-list 111 deny tcp any eq 137 any
access-list 111 deny tcp any eq 138 any
access-list 111 deny tcp any eq 139 any
access-list 111 permit ip any any
dialer-list 1 protocol ip list 111
!
line con 0
exec-timeout 60 0
transport input none
stopbits 1
line vty 0 4
timeout login response 120
password xxxxxx
login
!
--More-- !
end
04-23-2005 11:37 PM
Your provider may issue a dynamic dns name to your acount. This name should stay the same altough the ip address changes. You can check this using the "nslookup" command on your pc. If this appears to be the case, you can refer to the dns name instead of the ip address. That should solve your problem.
Regards,
Leo
04-24-2005 06:50 PM
I find the original post somewhat confusing. What I think I understand is that he wants to create an access list which will be used to control telnet access to the router. He believes that an access list will be difficult to construct because the destination address is not fixed and may change from time to time.
There is a simple solution which does not depend on knowing the destination address. This solution is to configure an access class on the vty ports. An access class generally uses a standard access list and is designed specifically to control remote access to the router. A configuration might look like this if there were three specific hosts and one subnet which you wanted to grant the ability to telnet to the router:
access-list 15 permit 102.102.102.5
access-list 15 permit 150.150.150.6
access-list 15 permit 160.160.160.1
access-list 15 permit 100.1.1.0 0.0.0.63
line vty 0 4
access-class 15 in
One of the advantages of access-class is that you do not need to worry about which interface to assign it to and not worry about which destination address to specify. Also there is an advantage that access-class will only apply the list to packets whose destination is the router where if you use access-group on an interface to control telnet then every packet coming to the interface will have to be examined by the access list.
HTH
Rick
04-24-2005 07:27 PM
You understood my goal perfectly. In fact, I had set the last access-list (different IP and subnet, of course) you described. The implicit deny and application to vty is much simpler than the alternative. My only remaining problem is, the router that I am telnetting is receiving a dynamic IP on the outside from an ISP. The router isn't part of a registered name domain and the ISP hasn't happened to assign a static hostname as part of the ISP account the router is part of Unless someone is at the site to tell me what IP address is hitting the router, how else can I direct a telnet session to it from my remote location? (The 100.1.1.0 0.0.0.63 subnet in your example.)
04-25-2005 04:44 AM
I designed a solution for a customer with a situation similar to yours. I assume that you are doing NAT (or PAT) to translate addresses of devices connected to the inside interface to addresses of the provider address space. For my customer we did not translate the inside addresses to the provider address space. We had the router establish IPSec with GRE tunnels to the headquarters site and ran a routing protocol over the tunnels. This allowed all devices in the customer network to access resources at these remote sites. To telnet to the router we would either telnet to the inside interface address or we would configure a loopback interface with an IP address, make sure that the loopback address was included in the routing protocol, and then telnet to the loopback interface address. And we use access-class on the vty ports to control who has remote access to the router.
HTH
Rick
04-26-2005 05:36 PM
Good, innovative solution. I'm just a trained with little experience CCNA, so actual implementation may be a little more difficult than my actual understanding of what you did-but I think I can get there. I think I can see how your customer could still access typical Internet services as usual, as well as other specific resources at the headquarters site. If I'm incorrect about typical Internet resources, let me know. Otherwise, with a little more self study and appropriate schduling, I'll try to implement and provide a "resolved" mark here as appropriate. Thanks, Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide