?
Solved

Cisco Access control policy

Posted on 2011-10-09
25
Medium Priority
?
342 Views
Last Modified: 2012-05-12
Hi Folks,
 I would really value some advice regarding a Cisco ACL policy design. I am a Voice engineer and I have setup an Asterisk High Availability cluster and I have a Cisco 1841 controlling the LAN/WAN access to this cluster.

I have quite a few clients who will be using this cluster for hosted telephony and they all have fixed IP addresses that I can add to the cisco ACL and allow full access to their SIP/IAX phones for registration.

Here is the problem:

Some of my clients have home connections and their routers have dynamic IP's so I can't open the IP for access to them as their IP may change. I also have clients that have SIP clients on their mobile phones and we have a similar problem with these.

I can't run a mac-address filter on the router as it is a layer 3 device and the only option that I could see is maybe an ipSEC or PTPP.

Does anyone have any sugestions?

0
Comment
Question by:plewis-brown
  • 11
  • 8
  • 6
25 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 36939553
The only option I can think of is like you have already stated, by having them connect through VPN first.

A possible option, may be to have your clients use some type of dynamic dns service, and put the host names in the ACL instead of their ip address. Then enable dns lookup on the router to resolve from the isp's dns?  

This is a stab in the dark through though. Never tried it.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36939564
So maybe if they register their home connections with something like dyndns.org get a hostname like  customer1.mydyndns.org. Then in the ACL for example have:

permit tcp host customer1.mydyndns.org host x.x.x.x  (Cisco cluster)
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36939568
Sorry I meant

permit tcp host customer1.mydyndns.org host x.x.x.x eq port  
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:plewis-brown
ID: 36939593
Great Idea,

I am going to try that now and see how I go and get back to you. What's the "host x.x.x.x eq port" bit ?
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36939608
the x.x.x.x is just the ip address of your cluster.
0
 

Author Comment

by:plewis-brown
ID: 36939631
Have I got to point my home DNS to dynDNS to be seen as a dyn account? I have only used DynDNS for inbound dynamic ip monitoring and never for outbound?
0
 

Author Comment

by:plewis-brown
ID: 36941989
I did not get this to work as I am presuming that the dynamic IP is being seen rather than the Dyndns.org account name. For example my Dyndns hostname is:

browning9.homelinux.com

I have added this to the ACL with no joy?
0
 

Author Comment

by:plewis-brown
ID: 36942060
Checked it again and the Router just resolves browning9.homelinux.com to my current IP and I presume this will then lock me out when that IP changes.
0
 
LVL 4

Expert Comment

by:dcj21
ID: 36942342
When your IP changes, the dynamic DNS service will update your IP.

The DynDNS Update client keeps the host tables up to date with your IP address.

However, I don't see a solution for the mobile phones.
0
 

Author Comment

by:plewis-brown
ID: 36942600
Hi dcj21,
 what you said is true however not for outbound traffic. I can add my dyndns account details into my home router and I can then get back into my home network from outside and my router will update DynDNS when it changes the IP.

My problem is that I have clients on dynamic addresses who we want to allow their sip phones to register to our cluster that has a cisco 1841 with an ACL. We can't add their dynDNS hostname into the Cisco ACL as the cisco router resolves the address and that address may change.

I think the DynDNS idea will not work and I must consider asking the client to VPN into their work network and their work fixed IP will be allowed through our ACL.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36942654
Hmmm, I would think that the headend router where the acl resides would resolve the dyn dns domain name to whatever ip is currently assigned. For example I can go on my smartphone and resolved my home router by dyn dns name, so I can't see why a router could not do the same. What name server is the router using?
0
 

Author Comment

by:plewis-brown
ID: 36942696
The router is resolving the address that is the problem.

For example if my DynDNS address is browning9.homelinux.com, when I add this to the cisco ACL it resolves it to its current IP address. This may change next week so that is no good as the browning9.homelinux.com is a virtual address that the IP changes behind it. DynDNS keep the vitual host address linked to the changing IP however the cisco does not know what browning9.homelinux.com is so it can only look at it's current IP which will change.

This is the nub of the problem i.e. I cannot allow access to these dynamic clients as the DynDNS hostname means nothing to it.
0
 
LVL 4

Expert Comment

by:dcj21
ID: 36943039
Ah, didn't realize Cisco will not allow you to keep the FQDN in the ACL

ASA's allow this using Network Objects
https://supportforums.cisco.com/docs/DOC-17014

And I believe you can do the same on your router.
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_object_group_acl.pdf

0
 
LVL 26

Expert Comment

by:Soulja
ID: 36943047
You're losing me. If the router only needs to know the hostname, why do you think it needs to know the ip address. The whole point of the dyndns is that the client will need to use an updated to keep it updated when their dynamic ip address changes. What does this have to do with the router. The router just needs to know the hostname, it should still resolve, provided the client uses the dyndns updater.
0
 

Author Comment

by:plewis-brown
ID: 36943107
Please read my initial question. We have clients on Dynamic IP's trying to register sip phones to our Voip cluster. The ACL on the Voip cluster only allows fixed IP addresses in. Some clients are on Dynamic IP's so if we open the ACL for their IP one week it may have changed the next.

We wanted a way to validate their inbound traffic other than a changing IP. Someone raised the point of using DynDNS but this is only to fix their IP for traffic into the clients network and this will not fix their outbound IP that they present to us when they want to register a phone.

I cannot add their DynDNS hostname into our Cisco ACL as the cisco router resolves the dynDNS name to an IP address (which may change again the next week).

I cannot create a mac -address filter as it is a layer 2 device

so the only option at the moment is to create a VPN unless anyone has a better idea?
0
 
LVL 4

Expert Comment

by:dcj21
ID: 36943212
Can you use Network Objects as I suggested above? It's available on IOS 12.4(20)T


object-group network VoIP_Users
 host browning9.homelinux.com
 host  customer1.mydyndns.org

access-list inside_in permit  object VoIP_Users ip any
access-list inside_in deny ip any any
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36943233
"I cannot add their DynDNS hostname into our Cisco ACL as the cisco router resolves the dynDNS name to an IP address (which may change again the next week). "


If the ip address changes it doesn't matter because the router is using the hostname. The client will have dyndns updater on their end which will notify dyndns when their ip address changes, updating the hostname to the new ip address. When this happen the router will resolve the dyndns hostname to the new ip address.


Is this how you understand it? If so, then you know your situation better than I ever will, and know this won't work for you, so I guess VPN is your only option.
0
 
LVL 4

Expert Comment

by:dcj21
ID: 36943270
Others,
when you type in a host name in a ip access-list command, the router converts the name to an IP address and saves the IP address, not the host name.

The only way to keep using the DNS names is to use object-groups
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_object_group_acl.html

0
 

Author Comment

by:plewis-brown
ID: 36943377
Ohh Fantastic dcj21

I will look into this straight away thanks. How often does the cisco poll the hostname to match the inbound hostname/IP address, every time the client tries to connect perhaps?
0
 
LVL 4

Expert Comment

by:dcj21
ID: 36943498
I didn't see it in the docs. I'd assume on every connection or it could use the hostname cache. I don't know the time-out on the hostname cache
0
 

Author Comment

by:plewis-brown
ID: 36943607
its i a Cisco 1841 and I don't see the command object-group?
0
 

Author Comment

by:plewis-brown
ID: 36943634
I am running Version 12.4(13r)T5, RELEASE SOFTWARE (fc1)

Maybe it's not available on this version as I can see it is in 12.4(20)
0
 
LVL 4

Accepted Solution

by:
dcj21 earned 2000 total points
ID: 36943653
Yes, you will need to upgrade your IOS to 12.4(20) or higher
0
 

Author Closing Comment

by:plewis-brown
ID: 36943675
I learned a lot about object-groups thanks!
0
 
LVL 26

Expert Comment

by:Soulja
ID: 36943726
Oh, I see what you are saying now. I don't know why that  wasn't clicking. Regardless, I think even with object groups you will have the same problem.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question