NAT and DHCP

up2thetimeup2thetime Member Posts: 154
in CCNP Service Provider
Hey guys,

Just a question on NAT.

If my WAN interface receives an IP Address from my ISP via DHCP, how can I write a NAT statement that will account for when my WAN IP Address changes?

For example:

If my WAN IP is 100.1.1.2, I'd write permit tcp any host 100.1.1.2 established. This would allow all established connections back into my network. I'm using the NAT for home internet access only.

I don't want to have to rewrite my NAT statement each time my ISP changes my WAN IP address.

Any help would be appreciated. Thanks!

Edit: My apologies, I meant to place this under CCNP, not CCNP-SP.
· Share on FacebookShare on Twitter

Comments

  • ZartanasaurusZartanasaurus Member Posts: 2,008 ■■■■■■■■■□
    NAT it to the interface and not an IP.
    Currently reading:
    IPSec VPN Design 44%
    Mastering VMWare vSphere 5​ 42.8%
    · Share on FacebookShare on Twitter
  • up2thetimeup2thetime Member Posts: 154
    Right.

    Sorry, in my above post I wrote:
    I don't want to have to rewrite my NAT statement each time my ISP changes my WAN IP address.

    I meant, I don't want to have to rewrite the ACL.

    How can I have my ACL update to include the WAN IP Address when it changes.

    Current ACL example:
    permit tcp any host 100.1.1.2 established

    Then the WAN IP changes from 100.1.1.2 to 200.200.200.1. This would cause me to have to rewrite the ACL. I don't want to do that each time the WAN IP Address changes...

    Thanks
    · Share on FacebookShare on Twitter
  • Darian929Darian929 Member Posts: 197
    Can't you permit from any to any?
    · Share on FacebookShare on Twitter
  • up2thetimeup2thetime Member Posts: 154
    I'd rather not.

    I'd only like to permit connections back in that were initiated by the Inside interface.

    I'd like to: permit tcp any [WAN IP Address] established

    Only problem is, the [WAN IP Address] changes every so often...
    · Share on FacebookShare on Twitter
  • Dieg0MDieg0M Member Posts: 861
    This is what NAT overload is for. If you want an inbound connection then also configure an ip nat source static tcp statement.
    Follow my CCDE journey at www.routingnull0.com
    · Share on FacebookShare on Twitter
  • Legacy UserLegacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□
    Id say the best way is what zartan mention. Setup a standard acl to the interface not the ip address this method is best when you dont have a static ip. The way your trying to set it up seems silly to me why do you want to keep changing your acl's just set it and forget it.
    · Share on FacebookShare on Twitter
  • Legacy UserLegacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□
    Access-list 101 permit ip any any* <-- note you can replace the first "any" with the specific private addresses if you want
    Ip nat inside source list 101 interface fa0/0 overload replace fa0/0 with whatever your outside interface is
    · Share on FacebookShare on Twitter
  • MonkerzMonkerz Member Posts: 842
    up2thetime wrote: »
    I'd rather not.
    I'd only like to permit connections back in that were initiated by the Inside interface.

    I see you are worried about connections initiating from the outside in; with the configuration below, that will not happen.

    As stated above this post, use the following config:

    ip access-list 101 permit ip any any
    ip nat inside source list 101 interface <wan-interface> overload

    This is telling the router to NAT using the following logic, "I want you to NAT traffic originating from the 'ip nat inside' interface(s) that match ACL 101. For the outside translation, use whatever address is assigned to <wan-interface>; and while you are at it enable PAT to reuse the same address incrementing ports for each new connection requested."

    With this statement, you are not NAT'ing from the outside in, only from the inside out.

    And if you are wanting to add an established ACL to the WAN interface to block all traffic that hasn't initiated from the inside, you can do that.

    Are we cooking with peanut oil? -Phil
    · Share on FacebookShare on Twitter
  • up2thetimeup2thetime Member Posts: 154
    Monkerz wrote: »

    And if you are wanting to add an established ACL to the WAN interface to block all traffic that hasn't initiated from the inside, you can do that.


    Thanks guys.

    How would I write the ACL? I would like to apply an inbound ACL to the WAN interface to block inbound connections that don't correspond to a flow initiated from inside.

    I suppose I could write: permit ip any any established, however I'd rather specify the WAN IP Address in the ACL statement instead of using any any. If my WAN IP is 200.1.1.1, I could use: permit ip any 200.1.1.1 established... but what happens when the ISP changes my WAN IP Address to 200.1.1.5. I don't want to have to rewrite my ACL. Is the only way to solve this scenario going to be using permit ip any any established? Is there someway to have the ACL statement dynamically update the destination portion of the ACL statement according to whatever the WAN IP Address changes to? Something such as permit ip any X established, where X will dynamically update to whatever my WAN IP Address changes to.

    The reason I ask is because I am going to start using an IOS router as my home router and I'd like to apply some basic security.

    Thanks.
    · Share on FacebookShare on Twitter
  • Legacy UserLegacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□
    I think the problem is your thinking to much into it and just confusing yourself. You already know that your WAN IP gets changed frequently. The only time you would hard code that ip address if your provider gives you a static IP address.

    On the wan interface you should configure it to accept the dhcp address

    int fa0/0 --> if this is your wan interface for example
    ip address dhcp
    ip nat outside
    no shut

    int fa0/1 --> if this leads to your inside network
    ip add 192.168.1.1 255.255.255.0 -> you internal ip address
    ip nat inside


    Access-list 101 permit ip any any
    Ip nat inside source list 101 interface fa0/0 overload
    ip route 0.0.0.0 0.0.0.0 f0/0 --or replace f0/0 with your default gateway ip address if you know it

    Also, depending how your setup is you may need to configure a dhcp scope for the users to pull addresses and if the dns is not working you may have to define that as well
    · Share on FacebookShare on Twitter
  • Legacy UserLegacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□
    If you want to set your router as a basic firewall thats a whole different story.

    You have to create inspection rules on what protocols you want inspected

    for example:
    ip inspect name firewall http timeout 3600
    ip inspect name firewall smtp timeout 3600
    ip inspect name firewall tcp timeout 3600

    on the inside interface assign where you want the inspection to take place
    int fa0/1
    ip inspect firewall in


    Then if you want you can define what kind of traffic you want to access your outside interface. Usually for connectivity testing you would enable ICMP in

    for example:
    access-list 112 permit icmp any any

    or you can specify what ping traffic you want in such as
    -echo-reply
    -traceroute
    etc

    after you applied access list 112
    end it with a deny statement to block everything else

    access-list 112 permit icmp any any
    access-list 112 deny ip any any log

    on your outside interface assign that access list

    int fa0/0
    ip access-group 112 in

    If you don't want any connection coming in from the inside that the internal user did not initiate you can just deny all outbound -> internal

    access-list 112 deny ip any any
    · Share on FacebookShare on Twitter
Sign In or Register to comment.