cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3302
Views
0
Helpful
8
Replies

Can you use a Leased (DHCP) Address in an ACL

onyxwolf_x
Level 1
Level 1

I have a router that is connected to a cable ISP. My external interface receives its address from my ISP via DHCP

(Interface FastEthernet 0/0

ip address DHCP).

My question-- is there a way to make an ACL that uses that address? Meaning that the ACL changes when that address does?

8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

No, you can't configure access-list to reference to the DHCP assigned ip address dynamically.

However, if you configure NAT statement to translate the interface ip to an internal server, that would only allow access to the current assigned ip address anyway.

Hope that answers your question.

How would you do that?

Can you advise what you are trying to achieve with the access-list on the outside interface? ie: what traffic you would like to allow and deny?

Sorry its taken so long to get back with you, but I want deny traffic with the same address as a source (spoofed traffic) and I want to allow ssh to it (this only temporary, until I can get my openVPN server working correctly. Which brings me to another question-- if I put the ip nat inside static commands on (forwarding the ports for openVPN) and permit access for those ports to my server (ie-- permit tcp any host 192.168.0.5 eq 1194), will it permit it or not? I ask this because my vpn client will obviously be targeting the external address, so without an access-list to permit that to the interface does the nat rule combined with the ACL permit allow it through (and I really don't want to put any as the destination). Or is that what you are telling me halijenn ?

For SSH access to the router, you can configure standard access-list and assign it to "line vty" to only allow specific ip address to SSH into the router.

For port forwarding, the NAT statement will be to port forward traffic coming to the interface on specific port, hence even if you configure access-list to permit to destination any with the port#, it will only allow inbound traffic towards 1 server that you configure the nat translation on. Even if you configure "permit ip any any" ACL, if you do not have NAT translation for it, traffic won't be able to traverse in.

I've got everything else working (including ssh from my internal network) so I'm only posting configs directly related to the issues I'm wanting to resolve (IE trying to keep it short, sweet and to the point)...

So my NAT rules will need to be as follows, are they correct (I also want 443 to that as well)?

ip nat inside source list 102 interface FastEthernet0/1 overload

ip nat inside source static tcp 192.168.0.5 443 interface FastEthernet0/1 443

ip nat inside source static udp 192.168.0.5 1194 interface FastEthernet0/1 1194


And then my access list entries will need to be as follows, correct?

ip access-list extended inboundfilters

  permit tcp any any eq 443

  permit udp any any eq 1194

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

access-list 103 permit tcp "work's public IP" any eq ssh

Finally, I would apply 103 to line vty, I'm assuming it would be a access-group like so: (Do I need to apply the same access-group in on the external interface?)

interface FastEthernet0/1

  description Web-Facing

  ip access-group inboundfilters in

  ip access-group 103 in

  ip nat outside

Line vty 0 4

  ip access-group 103 in

If I apply 103 to my line vty then I'll have to add my private network as well so I'll just want to add permit tcp "work's public IP" any eq ssh to my inboundfilters access-list, then not put the access-group 103 on the external interface, and add the line permit tcp 192.168.0.0 0.0.0.255 any eq ssh to ACL 103 (I'll have to make it extended of course).

The NAT statement is correct, and the inboundfilters ACL is also correct.

However you can not apply 2 ACLs on 1 interface:

interface FastEthernet0/1

   description Web-Facing

  ip access-group  inboundfilters in

  ip access-group 103 in   <------ needs to be removed

   ip nat outside

For line vty 0 4, you can just configure standard ACL:

access-list 5 permit host

line vty 0 4

     access-class 5 in

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: