access-list command w/ Dynamic IP

[rmeder]

How would I structure the access-list command to handle an outside interface with a dynamic IP.

I need to allow outside access to an internal SMTP server, but I don't have a static IP with my service provider. I have created the static command by utilizing the interface reference instead of the address, but how to I enable the inbound traffic without a static public IP.

Thanks for any assistance.

Rick

 

[rmeder]

I'll try wording it a little differently... I was beat tired when I wrote the last one.

Need to pass traffic through a PIX 501 to a SMTP server on my internal network. I have a dynamic IP on my outside interface that I use a dynamic DNS service (DNS2Go) to redirect traffic to it. I have searched through everything I could find on both Cisco.com and here on Tek-tips, but I have not been able to find any info on handling this scenario with a dynamic IP.

Please help!

Thank you,

Rick

 

[cchipman]

If you mean something like this:

access-list outside_inbound_access permit ip any internal_smtp_address internal_netmask

access-group outside_inbound_access in interface outside


Its a fairly simple configuration

 

[rockjockb]

Sorry to be so abrupt, but I don't understand why you would host a mail server and have a $500 firewall and not spend the extra $10/month for a static IP. I would recommend getting the static IP, or your email is not likely to be stable.

 

[rmeder]

Be as abrupt as you want.

The network that this is running on is just a small test network. The mail server has been running for quite some time without any issues. We do have smtp caching running on another network just in case though. The reason for what turned out to be a stupid question is that I have never run anything other than a generic little router on this test network, but we do run different PIXs on several of our other networks which are all utilizing DIAs. It was necessary to install the PIX here for some tests. Point of the matter is... you are correct it would make sense to have a static IP, and if our provider offered it don't you think we would spend 10 friggen dollars a month to have it?? The answer would be YES.

 

[Narizz28]

Just a thought, not really sure it'll work, but it might inspire brillience in someone else, but maybe try registering a unigue domain name for this test network with a DDNS service, then when the IP address changes, name resolution would follow. The obvious problem here is that I do not know if the PIX will do DDNS. If not, may put a host behind the PIX running a DDNS updater service.

 

[N0ktar]

sample configuration for smtp and

http://www server:

interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside dhcp setroute
ip address inside 192.168.0.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0 0
static (inside,outside) tcp interface smtp 192.168.0.2 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface

http://www 192.168.0.2

http://www netmask

255.255.255.255 0 0