Cisco Access control policy

Hi Folks,
 I would really value some advice regarding a Cisco ACL policy design. I am a Voice engineer and I have setup an Asterisk High Availability cluster and I have a Cisco 1841 controlling the LAN/WAN access to this cluster.

I have quite a few clients who will be using this cluster for hosted telephony and they all have fixed IP addresses that I can add to the cisco ACL and allow full access to their SIP/IAX phones for registration.

Here is the problem:

Some of my clients have home connections and their routers have dynamic IP's so I can't open the IP for access to them as their IP may change. I also have clients that have SIP clients on their mobile phones and we have a similar problem with these.

I can't run a mac-address filter on the router as it is a layer 3 device and the only option that I could see is maybe an ipSEC or PTPP.

Does anyone have any sugestions?

plewis-brownAsked:
Who is Participating?
 
dcj21Connect With a Mentor Commented:
Yes, you will need to upgrade your IOS to 12.4(20) or higher
0
 
SouljaCommented:
The only option I can think of is like you have already stated, by having them connect through VPN first.

A possible option, may be to have your clients use some type of dynamic dns service, and put the host names in the ACL instead of their ip address. Then enable dns lookup on the router to resolve from the isp's dns?  

This is a stab in the dark through though. Never tried it.
0
 
SouljaCommented:
So maybe if they register their home connections with something like dyndns.org get a hostname like  customer1.mydyndns.org. Then in the ACL for example have:

permit tcp host customer1.mydyndns.org host x.x.x.x  (Cisco cluster)
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
SouljaCommented:
Sorry I meant

permit tcp host customer1.mydyndns.org host x.x.x.x eq port  
0
 
plewis-brownAuthor Commented:
Great Idea,

I am going to try that now and see how I go and get back to you. What's the "host x.x.x.x eq port" bit ?
0
 
SouljaCommented:
the x.x.x.x is just the ip address of your cluster.
0
 
plewis-brownAuthor Commented:
Have I got to point my home DNS to dynDNS to be seen as a dyn account? I have only used DynDNS for inbound dynamic ip monitoring and never for outbound?
0
 
plewis-brownAuthor Commented:
I did not get this to work as I am presuming that the dynamic IP is being seen rather than the Dyndns.org account name. For example my Dyndns hostname is:

browning9.homelinux.com

I have added this to the ACL with no joy?
0
 
plewis-brownAuthor Commented:
Checked it again and the Router just resolves browning9.homelinux.com to my current IP and I presume this will then lock me out when that IP changes.
0
 
dcj21Commented:
When your IP changes, the dynamic DNS service will update your IP.

The DynDNS Update client keeps the host tables up to date with your IP address.

However, I don't see a solution for the mobile phones.
0
 
plewis-brownAuthor Commented:
Hi dcj21,
 what you said is true however not for outbound traffic. I can add my dyndns account details into my home router and I can then get back into my home network from outside and my router will update DynDNS when it changes the IP.

My problem is that I have clients on dynamic addresses who we want to allow their sip phones to register to our cluster that has a cisco 1841 with an ACL. We can't add their dynDNS hostname into the Cisco ACL as the cisco router resolves the address and that address may change.

I think the DynDNS idea will not work and I must consider asking the client to VPN into their work network and their work fixed IP will be allowed through our ACL.
0
 
SouljaCommented:
Hmmm, I would think that the headend router where the acl resides would resolve the dyn dns domain name to whatever ip is currently assigned. For example I can go on my smartphone and resolved my home router by dyn dns name, so I can't see why a router could not do the same. What name server is the router using?
0
 
plewis-brownAuthor Commented:
The router is resolving the address that is the problem.

For example if my DynDNS address is browning9.homelinux.com, when I add this to the cisco ACL it resolves it to its current IP address. This may change next week so that is no good as the browning9.homelinux.com is a virtual address that the IP changes behind it. DynDNS keep the vitual host address linked to the changing IP however the cisco does not know what browning9.homelinux.com is so it can only look at it's current IP which will change.

This is the nub of the problem i.e. I cannot allow access to these dynamic clients as the DynDNS hostname means nothing to it.
0
 
dcj21Commented:
Ah, didn't realize Cisco will not allow you to keep the FQDN in the ACL

ASA's allow this using Network Objects
https://supportforums.cisco.com/docs/DOC-17014

And I believe you can do the same on your router.
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_object_group_acl.pdf

0
 
SouljaCommented:
You're losing me. If the router only needs to know the hostname, why do you think it needs to know the ip address. The whole point of the dyndns is that the client will need to use an updated to keep it updated when their dynamic ip address changes. What does this have to do with the router. The router just needs to know the hostname, it should still resolve, provided the client uses the dyndns updater.
0
 
plewis-brownAuthor Commented:
Please read my initial question. We have clients on Dynamic IP's trying to register sip phones to our Voip cluster. The ACL on the Voip cluster only allows fixed IP addresses in. Some clients are on Dynamic IP's so if we open the ACL for their IP one week it may have changed the next.

We wanted a way to validate their inbound traffic other than a changing IP. Someone raised the point of using DynDNS but this is only to fix their IP for traffic into the clients network and this will not fix their outbound IP that they present to us when they want to register a phone.

I cannot add their DynDNS hostname into our Cisco ACL as the cisco router resolves the dynDNS name to an IP address (which may change again the next week).

I cannot create a mac -address filter as it is a layer 2 device

so the only option at the moment is to create a VPN unless anyone has a better idea?
0
 
dcj21Commented:
Can you use Network Objects as I suggested above? It's available on IOS 12.4(20)T


object-group network VoIP_Users
 host browning9.homelinux.com
 host  customer1.mydyndns.org

access-list inside_in permit  object VoIP_Users ip any
access-list inside_in deny ip any any
0
 
SouljaCommented:
"I cannot add their DynDNS hostname into our Cisco ACL as the cisco router resolves the dynDNS name to an IP address (which may change again the next week). "


If the ip address changes it doesn't matter because the router is using the hostname. The client will have dyndns updater on their end which will notify dyndns when their ip address changes, updating the hostname to the new ip address. When this happen the router will resolve the dyndns hostname to the new ip address.


Is this how you understand it? If so, then you know your situation better than I ever will, and know this won't work for you, so I guess VPN is your only option.
0
 
dcj21Commented:
Others,
when you type in a host name in a ip access-list command, the router converts the name to an IP address and saves the IP address, not the host name.

The only way to keep using the DNS names is to use object-groups
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_object_group_acl.html

0
 
plewis-brownAuthor Commented:
Ohh Fantastic dcj21

I will look into this straight away thanks. How often does the cisco poll the hostname to match the inbound hostname/IP address, every time the client tries to connect perhaps?
0
 
dcj21Commented:
I didn't see it in the docs. I'd assume on every connection or it could use the hostname cache. I don't know the time-out on the hostname cache
0
 
plewis-brownAuthor Commented:
its i a Cisco 1841 and I don't see the command object-group?
0
 
plewis-brownAuthor Commented:
I am running Version 12.4(13r)T5, RELEASE SOFTWARE (fc1)

Maybe it's not available on this version as I can see it is in 12.4(20)
0
 
plewis-brownAuthor Commented:
I learned a lot about object-groups thanks!
0
 
SouljaCommented:
Oh, I see what you are saying now. I don't know why that  wasn't clicking. Regardless, I think even with object groups you will have the same problem.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.