There isn't a quick and easy answer but a more complex solution could be to use EEM w/ a TCL policy to monitor when/if the ip address changes and if it does reconfigure the ACL.
ie: policy A every 10 seconds do 'sh int serial 0/2/0' did ip address change? no -> exit yes -> run policy B to reconfigure the ACL. Ask it over on cisco-nsp if you want to try it out. Rodney On Wed, May 31, 2006 at 04:02:49PM -0400, Jon R. Kibler wrote: > Greetings All, > > Sorry for the slightly off-topic question, but I suspect that this is an > issue that others > have faced or may soon face as ISP continue to push out more PPP-oriented > networks. > > One of our customer's ISP is converting from static IP assignments to PPP IP > assignments for > > all customers' Internet facing routers. This is creating a security problem > that I do not > > know how to fix and for which the ISP is no help. Problem: how to ACL on a > dynamic IP? > > Assume that we have the following (partial) configuration on a Cisco 2801 and > are assigned > the static netblock 1.2.3.0/29. This was what worked before the ISP made the > change. > > ! Old config example > interface serial0/2/0 > ip address 1.2.3.1 255.255.255.248 > ip nat outside > ip access-group 110 in > ... > > interface fastethernet0/0 > ip address 172.17.100.254 255.255.255.0 > ip nat inside > ... > > ip nat pool localstatic 1.2.3.2 1.2.3.2 prefix 29 > ip nat inside source list 1 pool localstatic overload > ip nat inside source static tcp 172.17.100.22 22 1.2.3.5 12322 > ip nat inside source static ... > > access-list 1 permit 172.17.100.0 0.0.0.255 > access-list 1 deny any log > > access-list 110 permit tcp any 1.2.3.0 0.0.0.7 established > access-list 110 permit tcp host a.b.c.d host 1.2.3.5 eq 12322 > access-list 110 deny tcp any any log > access-list 110 permit udp host d.n.s.1 eq 53 host 1.2.3.2 > access-list 110 permit udp host d.n.s.1 host 1.2.3.2 eq 53 > access-list 110 permit udp host n.t.p.1 eq 123 1.2.3.2 > access-list 110 deny udp any any log > access-list 110 permit icmp any host 1.2.3.2 echo-reply > access-list 110 permit icmp any host 1.2.3.2 unreachable > access-list 110 permit icmp any host 1.2.3.2 time-exceeded > access-list 110 deny icmp any any log > access-list 110 deny ip any any log > > > In the new configuration, the serial0/2/0 interface now has a dynamic IP. How > can I put > ACLs on that IP that will permit NTP, DNS, and ICMP originating from within > the router > to work? Everything behind the router works, but anything generated by the > router itself > breaks (because the external IP is not permitted in an ACL). > > In the new configuration, this is the only change I made (other than PPP > stuff): > > ! New config example > interface serial0/2/0 > ip address negotiated > ip nat outside > ip access-group 110 in > ... > > > Everything from behind the router continues to work fine. However, the router > is unable to > do NS lookups, set time, etc. Basically, all traffic to the dynamic IP is > blocked. Is there > a SIMPLE way to fix this problem AND keep the router secured? > > I have searched the Cisco site, and Google, and cannot seem to find an answer > that I can > fully comprehend. I thought that maybe 'ip nat outside' was my fix, but I > could not get it > to do what I expected. > > Thanks in advance for your help! > > Jon Kibler > -- > Jon R. Kibler > Chief Technical Officer > A.S.E.T., Inc. > Charleston, SC USA > (843) 849-8214 > > > > > ================================================== > Filtered by: TRUSTEM.COM's Email Filtering Service > http://www.trustem.com/ > No Spam. No Viruses. Just Good Clean Email. >