Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL and Dynamic IP addressing

My cisco router receives its dynamic ip address and nameservers from the cablemodem. I have a few questions regarding this...

This line is included in the ACL for my CableModem interface, without it I don't get an ip address:

access-list 101 permit udp any eq bootps any eq bootpc

Does this look correct, or can it be more defined ? (I notice this lets in other packets not ment for me)

I'm now setting up DDNS w/no-ip.com, which requires that I turn on IP DOMAIN LOOKUP. Which also requires DNS (domain) entries for the ACL, here is what I added:

access-list 101 permit udp any eq domain any

access-list 101 permit tcp any eq domain any

My first question with this is why do I need these entries in the ACL when I have 'ip inspect' for both tcp and udp in the same interface ? I assume the router does not use ip inspect when it decides to send out some packets ?

Second question;

Can I somehow limit the 2 entries above to only the current nameservers ?

Thanks !

Matthew

3 REPLIES
Bronze

Re: ACL and Dynamic IP addressing

Hello Matthew,

regarding the access list entries for DDNS: CBAC does not inspect packets with the router as the source or destination address, so it won´t work for DDNS, which configures the router.

I guess you could specify the IP addresses of your DNS servers in access-list 101, that is, instead of ´any´, define the IP addresses of the DNS servers:

access-list 101 permit udp any eq domain x.x.x.x

access-list 101 permit tcp any eq domain y.y.y.y

where x.x.x.x and y.y.y.y are the IP addresses of your DNS servers.

Bootps (UDP port 67) and bootpc (UDP port 68) are just single ports, so you cannot really specify anything else.

Regards,

Nethelper

Purple

Re: ACL and Dynamic IP addressing

Hi Matthew,

Since the first ACL line allows BOOTP/DHCP requests out, you can't really hard-core the source/destination addresses. Depending on which DHCP state your router is in, the addresses may either be 0.0.0.0, 255.255.255.255 or the acual IPs. Therefore, if you tighten it any more, you risk breaking it.

As for the second lot, you can indeed hard-core the DNS server IPs, as the previous poster noted. One other thing you can do without too much impact is to just allow DNS through UDP. TCP/53 is only used for DNS zone transfers and large (>512 byte) messages so in most cases, it can be pretty safely denied.

Hope that helps - pls rate the post if it does.

Paresh

New Member

Re: ACL and Dynamic IP addressing

Is there anything similar to CBAC that works with the router as the source and/or destination ?

I need to setup ddns and it requires the router to use dns and www services.

Thanks !

Matthew

231
Views
0
Helpful
3
Replies
CreatePlease login to create content