Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our beta test area to get started.

New Member

Can you use a Leased (DHCP) Address in an ACL

I have a router that is connected to a cable ISP. My external interface receives its address from my ISP via DHCP

(Interface FastEthernet 0/0

ip address DHCP).

My question-- is there a way to make an ACL that uses that address? Meaning that the ACL changes when that address does?

  • Other Network Infrastructure Subjects
Everyone's tags (4)
8 REPLIES
Cisco Employee

Re: Can you use a Leased (DHCP) Address in an ACL

No, you can't configure access-list to reference to the DHCP assigned ip address dynamically.

However, if you configure NAT statement to translate the interface ip to an internal server, that would only allow access to the current assigned ip address anyway.

Hope that answers your question.

New Member

Re: Can you use a Leased (DHCP) Address in an ACL

How would you do that?

Cisco Employee

Re: Can you use a Leased (DHCP) Address in an ACL

Can you advise what you are trying to achieve with the access-list on the outside interface? ie: what traffic you would like to allow and deny?

New Member

Re: Can you use a Leased (DHCP) Address in an ACL

Sorry its taken so long to get back with you, but I want deny traffic with the same address as a source (spoofed traffic) and I want to allow ssh to it (this only temporary, until I can get my openVPN server working correctly. Which brings me to another question-- if I put the ip nat inside static commands on (forwarding the ports for openVPN) and permit access for those ports to my server (ie-- permit tcp any host 192.168.0.5 eq 1194), will it permit it or not? I ask this because my vpn client will obviously be targeting the external address, so without an access-list to permit that to the interface does the nat rule combined with the ACL permit allow it through (and I really don't want to put any as the destination). Or is that what you are telling me halijenn ?

Cisco Employee

Re: Can you use a Leased (DHCP) Address in an ACL

For SSH access to the router, you can configure standard access-list and assign it to "line vty" to only allow specific ip address to SSH into the router.

For port forwarding, the NAT statement will be to port forward traffic coming to the interface on specific port, hence even if you configure access-list to permit to destination any with the port#, it will only allow inbound traffic towards 1 server that you configure the nat translation on. Even if you configure "permit ip any any" ACL, if you do not have NAT translation for it, traffic won't be able to traverse in.

New Member

Re: Can you use a Leased (DHCP) Address in an ACL

I've got everything else working (including ssh from my internal network) so I'm only posting configs directly related to the issues I'm wanting to resolve (IE trying to keep it short, sweet and to the point)...

So my NAT rules will need to be as follows, are they correct (I also want 443 to that as well)?

ip nat inside source list 102 interface FastEthernet0/1 overload

ip nat inside source static tcp 192.168.0.5 443 interface FastEthernet0/1 443

ip nat inside source static udp 192.168.0.5 1194 interface FastEthernet0/1 1194


And then my access list entries will need to be as follows, correct?

ip access-list extended inboundfilters

  permit tcp any any eq 443

  permit udp any any eq 1194

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

access-list 103 permit tcp "work's public IP" any eq ssh

Finally, I would apply 103 to line vty, I'm assuming it would be a access-group like so: (Do I need to apply the same access-group in on the external interface?)

interface FastEthernet0/1

  description Web-Facing

  ip access-group inboundfilters in

  ip access-group 103 in

  ip nat outside

Line vty 0 4

  ip access-group 103 in

New Member

Re: Can you use a Leased (DHCP) Address in an ACL

If I apply 103 to my line vty then I'll have to add my private network as well so I'll just want to add permit tcp "work's public IP" any eq ssh to my inboundfilters access-list, then not put the access-group 103 on the external interface, and add the line permit tcp 192.168.0.0 0.0.0.255 any eq ssh to ACL 103 (I'll have to make it extended of course).

Cisco Employee

Re: Can you use a Leased (DHCP) Address in an ACL

The NAT statement is correct, and the inboundfilters ACL is also correct.

However you can not apply 2 ACLs on 1 interface:

interface FastEthernet0/1

   description Web-Facing

  ip access-group  inboundfilters in

  ip access-group 103 in   <------ needs to be removed

   ip nat outside

For line vty 0 4, you can just configure standard ACL:

access-list 5 permit host

line vty 0 4

     access-class 5 in

1503
Views
0
Helpful
8
Replies