Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
603
Views
0
Helpful
3
Replies

ACL and Dynamic IP addressing

tebbens
Level 1
Level 1

‎02-06-2006 10:59 PM - edited ‎03-03-2019 11:40 AM

My cisco router receives its dynamic ip address and nameservers from the cablemodem. I have a few questions regarding this...

This line is included in the ACL for my CableModem interface, without it I don't get an ip address:

access-list 101 permit udp any eq bootps any eq bootpc

Does this look correct, or can it be more defined ? (I notice this lets in other packets not ment for me)

I'm now setting up DDNS w/no-ip.com, which requires that I turn on IP DOMAIN LOOKUP. Which also requires DNS (domain) entries for the ACL, here is what I added:

access-list 101 permit udp any eq domain any

access-list 101 permit tcp any eq domain any

My first question with this is why do I need these entries in the ACL when I have 'ip inspect' for both tcp and udp in the same interface ? I assume the router does not use ip inspect when it decides to send out some packets ?

Second question;

Can I somehow limit the 2 entries above to only the current nameservers ?

Thanks !

Matthew

Labels:
0 Helpful
3 Replies 3

nethelper
Level 3
Level 3

‎02-07-2006 02:57 PM

Hello Matthew,

regarding the access list entries for DDNS: CBAC does not inspect packets with the router as the source or destination address, so it won´t work for DDNS, which configures the router.

I guess you could specify the IP addresses of your DNS servers in access-list 101, that is, instead of ´any´, define the IP addresses of the DNS servers:

access-list 101 permit udp any eq domain x.x.x.x

access-list 101 permit tcp any eq domain y.y.y.y

where x.x.x.x and y.y.y.y are the IP addresses of your DNS servers.

Bootps (UDP port 67) and bootpc (UDP port 68) are just single ports, so you cannot really specify anything else.

Regards,

Nethelper

0 Helpful

pkhatri
Level 11
Level 11
In response to nethelper

‎02-07-2006 03:48 PM

Hi Matthew,

Since the first ACL line allows BOOTP/DHCP requests out, you can't really hard-core the source/destination addresses. Depending on which DHCP state your router is in, the addresses may either be 0.0.0.0, 255.255.255.255 or the acual IPs. Therefore, if you tighten it any more, you risk breaking it.

As for the second lot, you can indeed hard-core the DNS server IPs, as the previous poster noted. One other thing you can do without too much impact is to just allow DNS through UDP. TCP/53 is only used for DNS zone transfers and large (>512 byte) messages so in most cases, it can be pretty safely denied.

Hope that helps - pls rate the post if it does.

Paresh

0 Helpful

tebbens
Level 1
Level 1
In response to nethelper

‎02-08-2006 09:01 PM

Is there anything similar to CBAC that works with the router as the source and/or destination ?

I need to setup ddns and it requires the router to use dns and www services.

Thanks !

Matthew

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card