Manta Premium Member join:2003-11-04 UK |
Manta
Premium Member
2003-Nov-5 11:35 am
access-list for interface with dynamic IP?Is it possible to write an access-list something like this?
permit tcp any interface dialer0 eq 3389
I'm trying to do this on an 837 router and there seems to be no provision for referencing an interface. It's not a problem if you've got a fixed IP but in this case I haven't and I don't particularly want to specify it like this which seems to be the only other alternative:
permit tcp any any eq 3389
Many thanks,
Gareth |
|
|
As far as I am aware you APPLY an ACL to the interface, not the otherway around.
Hence using your example, one would specify the ACL to dialer IN (towards the LAN) or dialer OUT (towards the world, i.e. internet).
Post back if you have any more queries.
Edit:
A step-by-step config to create the ACL in question and to apply it to an interface who's IP address is not known:
Praetorian#config t Enter configuration commands, one per line. End with CNTL/Z.
Praetorian(config)#ip access-list extended MantaExample Praetorian(config-ext-nacl)#permit tcp any any eq 3389 Praetorian(config-ext-nacl)#end Praetorian#config t Enter configuration commands, one per line. End with CNTL/Z. Praetorian(config)#interface atm0 Praetorian(config-if)#ip access-group MantaExample IN Praetorian(config-if)#end
That applies the ACL to the interface without requiring knowledge of the ip address. You can substitute the interface for dialer1 and the name of the ACL for anything else that takes your fancy.
To remove it:
Praetorian#config t Enter configuration commands, one per line. End with CNTL/Z.
Praetorian(config)#interface atm0
Praetorian(config-if)#no ip access-group Mantaexample in Praetorian(config-if)#end Praetorian#config t Enter configuration commands, one per line. End with CNTL/Z.
Praetorian(config)#no ip access-list extended MantaExample Praetorian(config)#end
Hope that clarifies it. [text was edited by author 2003-11-05 18:19:47] |
|
Manta Premium Member join:2003-11-04 UK |
Manta
Premium Member
2003-Nov-6 4:15 pm
Cheers. I've got the access-lists running but the thing is, I'm concerned that stating tcp any any 3389 is more open than I need to be and I've heard it's not a good idea to be using the second any in this situation - although I could be taking it out of context. What I would do if I had a fixed IP on the interface would be this:
permit tcp any 1.1.1.5 eq 3389
but as I've got a dynamically assigned IP I went to try to do:
permit tcp any interface dialer0 eq 3389
and found that it couldn't be done. I know I can specify the interface like this in nat commands so I'd assumed there must be some other way of doing it for access-lists. Is it something that Cisco need to add in a future IOS or have I missed some fundamental point that makes it unnecessary?
Gareth |
|
|
For simplicity's sake, the second any would reference the interface you have applied the ACL to. You do not need to reference the IP, even if you do have a static IP address.
The term any in the destination will not compromise you. What you could do is setup a static NAT so all packets that come through that interface get directed to only one computer if that is what you want.
I do think that you are taking it out of context and misinterpreting it a tad.
The following permit statement that you used:
permit tcp any interface dialer0 eq 3389
does not make sense as you would not need to specify the dialer0 interface as you apply the acl to dialer0. The any in the destination would reference your dynamically assigned interface. If what you said was possible, we would not need to apply the ACLs to the interface. |
|
rolandeCertifiable MVM, join:2002-05-24 Dallas, TX ARRIS BGW210-700 Cisco Meraki MR42
|
to Manta
Since you are using NAT through your router with a dynamically assigned IP, if you use the ACL as covenant suggested applied to the dialer interface, the NAT translations will take care of the rest. If someone sends a random desitnation IP packet inbound to that destination port of 3389 and there is no NAT translation in the table, it will get dropped. Just make sure you also have all your anti-spoofing filters in place as well. If you are not sure about that...just read my FAQ on securing a Cisco router from the Internet. I have commented examples in there. |
|
|
Thanks for explaining it so concisely rolande and for making it newby friendly. I could not have, been trying to follow KISS, thats why I didn't. |
|
rolandeCertifiable MVM, join:2002-05-24 Dallas, TX
1 recommendation |
No problem. Let me know if you have questions. I used to use an ISDN dialup with a dynamic IP on my router and had it locked down with ACLs like this. It isn't the cleanest solution in the world, but it is effective. |
|