dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1810
Manta
Premium Member
join:2003-11-04
UK

Manta

Premium Member

access-list for interface with dynamic IP?

Is it possible to write an access-list something like this?

permit tcp any interface dialer0 eq 3389

I'm trying to do this on an 837 router and there seems to be no provision for referencing an interface. It's not a problem if you've got a fixed IP but in this case I haven't and I don't particularly want to specify it like this which seems to be the only other alternative:

permit tcp any any eq 3389

Many thanks,

Gareth

Covenant
MVM
join:2003-07-01
England

Covenant

MVM

As far as I am aware you APPLY an ACL to the interface, not the otherway around.

Hence using your example, one would specify the ACL to dialer IN (towards the LAN) or dialer OUT (towards the world, i.e. internet).

Post back if you have any more queries.

Edit:



A step-by-step config to create the ACL in question and to apply it to an interface who's IP address is not known:

Praetorian#config t
Enter configuration commands, one per line. End with CNTL/Z.

Praetorian(config)#ip access-list extended MantaExample
Praetorian(config-ext-nacl)#permit tcp any any eq 3389
Praetorian(config-ext-nacl)#end
Praetorian#config t
Enter configuration commands, one per line. End with CNTL/Z.
Praetorian(config)#interface atm0
Praetorian(config-if)#ip access-group MantaExample IN
Praetorian(config-if)#end

That applies the ACL to the interface without requiring knowledge of the ip address. You can substitute the interface for dialer1 and the name of the ACL for anything else that takes your fancy.



To remove it:

Praetorian#config t
Enter configuration commands, one per line. End with CNTL/Z.

Praetorian(config)#interface atm0

Praetorian(config-if)#no ip access-group Mantaexample in
Praetorian(config-if)#end
Praetorian#config t
Enter configuration commands, one per line. End with CNTL/Z.

Praetorian(config)#no ip access-list extended MantaExample
Praetorian(config)#end

Hope that clarifies it.
[text was edited by author 2003-11-05 18:19:47]
Manta
Premium Member
join:2003-11-04
UK

Manta

Premium Member

Cheers. I've got the access-lists running but the thing is, I'm concerned that stating tcp any any 3389 is more open than I need to be and I've heard it's not a good idea to be using the second any in this situation - although I could be taking it out of context. What I would do if I had a fixed IP on the interface would be this:

permit tcp any 1.1.1.5 eq 3389

but as I've got a dynamically assigned IP I went to try to do:

permit tcp any interface dialer0 eq 3389

and found that it couldn't be done. I know I can specify the interface like this in nat commands so I'd assumed there must be some other way of doing it for access-lists. Is it something that Cisco need to add in a future IOS or have I missed some fundamental point that makes it unnecessary?

Gareth

Covenant
MVM
join:2003-07-01
England

Covenant

MVM

For simplicity's sake, the second any would reference the interface you have applied the ACL to. You do not need to reference the IP, even if you do have a static IP address.

The term any in the destination will not compromise you. What you could do is setup a static NAT so all packets that come through that interface get directed to only one computer if that is what you want.

I do think that you are taking it out of context and misinterpreting it a tad.

The following permit statement that you used:

permit tcp any interface dialer0 eq 3389

does not make sense as you would not need to specify the dialer0 interface as you apply the acl to dialer0. The any in the destination would reference your dynamically assigned interface. If what you said was possible, we would not need to apply the ACLs to the interface.

rolande
Certifiable
MVM,
join:2002-05-24
Dallas, TX
ARRIS BGW210-700
Cisco Meraki MR42

rolande to Manta

MVM,

to Manta
Since you are using NAT through your router with a dynamically assigned IP, if you use the ACL as covenant suggested applied to the dialer interface, the NAT translations will take care of the rest. If someone sends a random desitnation IP packet inbound to that destination port of 3389 and there is no NAT translation in the table, it will get dropped. Just make sure you also have all your anti-spoofing filters in place as well. If you are not sure about that...just read my FAQ on securing a Cisco router from the Internet. I have commented examples in there.

Covenant
MVM
join:2003-07-01
England

Covenant

MVM

Thanks for explaining it so concisely rolande See Profile and for making it newby friendly. I could not have, been trying to follow KISS, thats why I didn't.

rolande
Certifiable
MVM,
join:2002-05-24
Dallas, TX

1 recommendation

rolande

MVM,

No problem. Let me know if you have questions. I used to use an ISDN dialup with a dynamic IP on my router and had it locked down with ACLs like this. It isn't the cleanest solution in the world, but it is effective.