NAT and DHCP

Hey guys,

Just a question on NAT.

If my WAN interface receives an IP Address from my ISP via DHCP, how can I write a NAT statement that will account for when my WAN IP Address changes?

For example:

If my WAN IP is 100.1.1.2, I'd write permit tcp any host 100.1.1.2 established. This would allow all established connections back into my network. I'm using the NAT for home internet access only.

I don't want to have to rewrite my NAT statement each time my ISP changes my WAN IP address.

Any help would be appreciated. Thanks!

Edit: My apologies, I meant to place this under CCNP, not CCNP-SP.

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

Zartanasaurus

NAT it to the interface and not an IP.

up2thetime

Right.

Sorry, in my above post I wrote:
I don't want to have to rewrite my NAT statement each time my ISP changes my WAN IP address.

I meant, I don't want to have to rewrite the ACL.

How can I have my ACL update to include the WAN IP Address when it changes.

Current ACL example:
permit tcp any host 100.1.1.2 established

Then the WAN IP changes from 100.1.1.2 to 200.200.200.1. This would cause me to have to rewrite the ACL. I don't want to do that each time the WAN IP Address changes...

Thanks

Darian929

Can't you permit from any to any?

up2thetime

I'd rather not.

I'd only like to permit connections back in that were initiated by the Inside interface.

I'd like to: permit tcp any [WAN IP Address] established

Only problem is, the [WAN IP Address] changes every so often...

Dieg0M

This is what NAT overload is for. If you want an inbound connection then also configure an ip nat source static tcp statement.

Legacy User

Id say the best way is what zartan mention. Setup a standard acl to the interface not the ip address this method is best when you dont have a static ip. The way your trying to set it up seems silly to me why do you want to keep changing your acl's just set it and forget it.

Legacy User

Access-list 101 permit ip any any* <-- note you can replace the first "any" with the specific private addresses if you want
Ip nat inside source list 101 interface fa0/0 overload replace fa0/0 with whatever your outside interface is

Monkerz

up2thetime wrote: »

I'd rather not.
I'd only like to permit connections back in that were initiated by the Inside interface.

I see you are worried about connections initiating from the outside in; with the configuration below, that will not happen.

As stated above this post, use the following config:

ip access-list 101 permit ip any any
ip nat inside source list 101 interface <wan-interface> overload

This is telling the router to NAT using the following logic, "I want you to NAT traffic originating from the 'ip nat inside' interface(s) that match ACL 101. For the outside translation, use whatever address is assigned to <wan-interface>; and while you are at it enable PAT to reuse the same address incrementing ports for each new connection requested."

With this statement, you are not NAT'ing from the outside in, only from the inside out.

And if you are wanting to add an established ACL to the WAN interface to block all traffic that hasn't initiated from the inside, you can do that.

Are we cooking with peanut oil? -Phil

up2thetime

Monkerz wrote: »

And if you are wanting to add an established ACL to the WAN interface to block all traffic that hasn't initiated from the inside, you can do that.

Thanks guys.

How would I write the ACL? I would like to apply an inbound ACL to the WAN interface to block inbound connections that don't correspond to a flow initiated from inside.

I suppose I could write: permit ip any any established, however I'd rather specify the WAN IP Address in the ACL statement instead of using any any. If my WAN IP is 200.1.1.1, I could use: permit ip any 200.1.1.1 established... but what happens when the ISP changes my WAN IP Address to 200.1.1.5. I don't want to have to rewrite my ACL. Is the only way to solve this scenario going to be using permit ip any any established? Is there someway to have the ACL statement dynamically update the destination portion of the ACL statement according to whatever the WAN IP Address changes to? Something such as permit ip any X established, where X will dynamically update to whatever my WAN IP Address changes to.

The reason I ask is because I am going to start using an IOS router as my home router and I'd like to apply some basic security.

Thanks.

Legacy User

I think the problem is your thinking to much into it and just confusing yourself. You already know that your WAN IP gets changed frequently. The only time you would hard code that ip address if your provider gives you a static IP address.

On the wan interface you should configure it to accept the dhcp address

int fa0/0 --> if this is your wan interface for example
ip address dhcp
ip nat outside
no shut

int fa0/1 --> if this leads to your inside network
ip add 192.168.1.1 255.255.255.0 -> you internal ip address
ip nat inside

Access-list 101 permit ip any any
Ip nat inside source list 101 interface fa0/0 overload
ip route 0.0.0.0 0.0.0.0 f0/0 --or replace f0/0 with your default gateway ip address if you know it

Also, depending how your setup is you may need to configure a dhcp scope for the users to pull addresses and if the dns is not working you may have to define that as well

Legacy User

If you want to set your router as a basic firewall thats a whole different story.

You have to create inspection rules on what protocols you want inspected

for example:
ip inspect name firewall http timeout 3600
ip inspect name firewall smtp timeout 3600
ip inspect name firewall tcp timeout 3600

on the inside interface assign where you want the inspection to take place
int fa0/1
ip inspect firewall in

Then if you want you can define what kind of traffic you want to access your outside interface. Usually for connectivity testing you would enable ICMP in

for example:
access-list 112 permit icmp any any

or you can specify what ping traffic you want in such as
-echo-reply
-traceroute
etc

after you applied access list 112
end it with a deny statement to block everything else

access-list 112 permit icmp any any
access-list 112 deny ip any any log

on your outside interface assign that access list

int fa0/0
ip access-group 112 in

If you don't want any connection coming in from the inside that the internal user did not initiate you can just deny all outbound -> internal

access-list 112 deny ip any any