setting a DHCP address as the default route

[xyyz]

here's the layout:

isp-----(DHCP/e1)-----router------(static ip/e0)--------firewall

the router is a cisco device. what's the command to have the address given to the router vi DHCP set as the default gateway?

 

[ScottMac]

config t
IP ROUTE ADD 0.0.0.0 0.0.0.0 INTERFACE E1 (it will have an administrative distance "AD" of 0 by default)
ctrl-Z
copy run start

(Aim the traffic at the interface instead of an address)

The "Default Gateway for the LAN devices is the address of the E0 interface (the LAN interface).

Good Luck

Scott

 

[xyyz]

here's another one...

how do you place access-lists on this DHCP given ip address?

i don't want anyone to be able to ssh to the router from the outside, on either interface, so how would i formulate the syntax of the acl?

 

[ScottMac]

Just deny any any eq 22 in the ACL and apply it to the interface (SSH is port 22 by default).

Good Luck

Scott

 

[xyyz]

but won't this deny all ssh traffic from comming into the router?

 

[Fuzznuts]

the first connection will be made to port 22 as the listening port. the stream will be attached to a random port on the client end as as the source. all you need to stop is the ability of creating the connection on your port. ie incoming

from your client side internally it would a random port making the connection so the returning data will be coming a port higher than 1024. + if its a stateful firewall it will be a related and estabished connection and should be allow through.

as an outgoing connection the rule will also not apply from the client side.

does this help?

 

[xyyz]

no... now i'm more confused... care to give that one more time?

 

[tjmaxz]

I guess you could put the permit addresses in the access-list for the ssh that you want to be allowed.
so if you want outside to connect to a server's address 20.20.20.20 with ssh, you could do something like:
permit any 20.20.20.20 eq ssh
permit any any eq tcp establised
// and then put on the "permits" for whatever traffic that you want to let through, because access-list has implicit deny.

if you want to let everything else to pass through, you can do something like this:
permit any 20.20.20.20 eq ssh
permit any any eq tcp establised
deny any any eq ssh
permit any any eq ip


And then apply this onto the interface.
Hopefully this helps.

 

[Boscoh]

You want to deny SSH traffic coming into the router correct? Are you concerned about denying your outbound requests for SSH as well? If this is your concern, its simple, do the following:

conf t
access-list 100 deny tcp any any eq 22
access-list 100 permit ip any any
int e1 (or fast1, however your router defines it, either "ethernet" or "fastethernet")
ip access-group 100 in
Ctrl Z
copy run start


That creates a list that blocks only SSH coming inbound to your router, but permits everything else. It doesnt block any outbound traffic.

Hope that helps.

 

[Kadarin]

Originally posted by: xyyz
but won't this deny all ssh traffic from comming into the router?

If the ACL is configured to deny ssh traffic, and you have it applied for inbound traffic on any/all interfaces that point to the outside, that accomplishes your goal, no?

 

[xyyz]

i do not want to completely deny SSH

i want to block inwards SSH access to 2 addresses when you are trying accessing it from the WAN (block e0 and e1)... i want to allow it to pass through... to other addresses other those two addresses.

the fact, the address is not a static address, compounds the problem, since i cannot put the address of the WAN interface inside the ACL. i wish cisco had a command that would allow you to enter the interface vs. the ip address.

understand?

the problem with putting the ACL on one address is that it's not practical. i won't be using that same address all the time.

 

[cmetz]

ScottMac, I haven't tried this in my lab, but are you certain that command won't cause the router to treat all traffic as subnet-local (that is, it'll try to ARP every IP dest addr out e0)? Normally, network stacks need to know that there's a gateway involved so they know to ARP the gateway's address and send all their traffic to that MAC address. Unless the ISP proxy-ARPs, that wouldn't work.

 

[tjmaxz]

Let me get this straight. So you just don't want anyone to access the router from the WAN side? If you want to just block remote access to the router totally, you can just do this:

conf t
line vty 0 4
transport input none
end
copy run start

this way you will block all the remote access to the router. Yet you can still go in from the console line.

 

[ScottMac]

As the default route / Gateway of Last Resort, it should behave the same as if the interface address was used instead of the port ID. The main difference is that the AD is zero instead of 1 ( but can be overridden by including an AD in the setup command).

It works OK for a "regular" static route as well ( a specific network).

For the example in the original post, the devices on the "inside" will still use the firewall's "inside" interface address as their Default Gateway, and the Firewall's "outside" interface will be a static / default route to the E0 interface of the router, with appropriate rules.

Assuming NAT is going to happen at the router, just put in a static port mapping for port 22 to the firewall, then use the firewall to direct port 22 traffic to whatever inside box you want for an SSH server. You can then have a firewall rule for the inside interface to limit / allow / deny SSH access to the router as desired.

You'll still have to track the external interface's IP address, or use the ISP's DNS name for that interface. The address may change with DHCP, but the ISP's DNS (as part of the DHCP server's function) should be notified of the changes and adjust as necessary.


With the information given, the above should work jus' fine.

Good Luck

Scott

 

[tjmaxz]

In regard to cmetz question:

"ScottMac, I haven't tried this in my lab, but are you certain that command won't cause the router to treat all traffic as subnet-local (that is, it'll try to ARP every IP dest addr out e0)? Normally, network stacks need to know that there's a gateway involved so they know to ARP the gateway's address and send all their traffic to that MAC address. Unless the ISP proxy-ARPs, that wouldn't work. "

the ip route 0.0.0.0 0.0.0.0 interface e1 would work.
Because the router knows the address of each of its interfaces (e1 and e0).
And it will first route to the appropriate interface if the dest address is in the same subnet of the interface.
If the dest. address is not one of the address of the interfaces, it will go for the default route instead, and send the traffic out e1.
This is because the router will match the longest match entry of the routing table.