A little off-topic (switching being topic at the moment) but I ran into this today again and wanted to jot it down quick.
WARNINGS: The commands below enable public access to internal resources. This should not be done if you do not understand Access Control Lists (ACL) and/or have a proper Firewall (not windows Firewall) installed maybe a PIX or ASA even ISA Server would do. I prefer not doing this at all because it creates a rather obvious place for network attacks to happen. You must know that these commands are what I know to work, you may disagree and I would love to hear what you do/use. I take no responsibility whatsoever as to how you use these commands and you shall be responsible for your losses or your clients losses if you do not implement this correctly or data/information is stolen.
Dynamic Domain Name Service (DDNS) is a service that lets anyone on the internet gain access to resources on a local network when that local network is connected to the internet through a Dynamic (constantly changing) IP Address connection (most ADSL connections).
To understand the concept Domain Name Service (DNS) is the mapping of IP Addresses (192.168.0.1) to human-readable computer hostnames (www.companyweb.org) that is used by routers and other networking infrastructure to delivery information as needed. The internet uses DNS so that we can go to www.google.co.za and not have to remember the IP Address for google and the million other sites online.
DDNS makes it possible for Small, Medium Business (SMB) to allow employees, customers, partners and other stakeholders access to internal resources (mail, intranet, pricelists, documents, etc) without the requirement to pay for static IP address access to the internet. This is not limited to SMB as some larger companies have dynamic connections and also use the service. There are of course security concerns and problems with DDNS.
By enabling DDNS you allow external (untrusted) access to internal (trusted) resources. This leads to not just known (employees, customers, partners and other stakeholders) visitors but unknown (random hits, hackers, etc). If you do not implement the proper security you may and probably will lose information and data without even knowing it.
On the SMB range Cisco Series Routers upward the DDNS command is supported and services like Dyndns can be configured without much hassle. There are some small things to watch out for though that I will cover below.
Step 1: Open an Account with DynDNS (Other services work with Cisco Routers). I however have only used DynDNS and I am happy with them. Check the config guide from Cisco for the other commands. Once you have the DynDNS account setup a free DynDNS hostname they have many options like your-option.domain.com and write down this and your username and password.
Step 2: Add DynDNS.org to your Host list and Statically apply your ISP DNS servers. This works best, you could just not do this but it works better if you do.
Router(config)#ip host members.dyndns.org 63.208.196.96
Router(config)#ip name-server xxx.xxx.xxx.xxx
Router(config)#ip name-server xxx.xxx.xxx.xxx
Things to change xxx.xxx.xxx.xxx is your ISP DNS Server address, primary first address, secondary address second.
For those with ISPs that love changing their DNSs regularly (I know some ISPs change their DNS servers monthly, they have a list of DNSs and the active ones any given month would be any persons lucky assumption) this is great if you charge by the hour and bad for your client because they will see you every month (i.e. bad for Cisco’s image because a client thinks his Cisco kit breaks every month).
Via Etherealmind you can give OpenDNS a try. OpenDNS is DNS with a little extra as they inlcude Phising protection and spelling correction in their service.
Step 3: This is tricky because it uses a special character, play around with this and see what happens. When you get to the special character in the line press Ctrl+V to allow for the character input in IOS
Router(config)#ip ddns update method dyndns
Router(DDNS-update-method)#HTTP
Router(DDNS-HTTP)#http://DYNDNS-USERNAME:DYNDNS-PASSWORD@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
Router(DDNS-update-method)#interval maximum 0 28 0 0
If you don’t get it, the special character I mentioned is the question mark, which won’t be allowed to be input without the CTRL+V. Things to Change DYNDNS-USERNAME is your DynDNS Username and DYNDNS-PASSWORD is your DynDNS Password
Step 4: On the Dialer interface (not the ATM, fastethernet, gigabitethernet interfaces). This could also be put on the Serial interface (say for a flapping link, if you have a Leased line for internet but then you would probably have a static IP address) why you would use DDNS then I dont know but it could and would probably work.
Router(config)#interface Dialer1
Router(config-if)#ip ddns update hostname your-option.domain.com
Router(config-if)#ip ddns update dyndns host members.dyndns.org
Things to change your-option.domain.com is the choice for the domain you made at DynDNS like game-server.dyndns.org.
Step 5: We are doing this for a reason and the reason behind DDNS is to have a private resource available to the public internet. To achieve this in IPv4 NAT or PAT is used when a single Internet connection is available. NAT basically takes multiple internal addresses and allows all those addresses to access the internet at once through a single internet connection. For this to work you need to configure your NAT inside and NAT outside.
Router(config)#interface Dialer1
Router(config-if)#nat outside
Router(config-if)#exit
Router(config)#interface vlan VLAN-Number
Router(config-if)#nat inside
I use a VLAN and map the VLAN to an fastethernet or gigabitethernet interface, you may or may not do it this way.
Step 6: Configure NAT extend a internal resource to the public. I am say doing this for Small Business Server 2003 (SBS) for Exchange Outlook Web Access (OWA). This uses HTTP port 80 and HTTPS port 443. Consider only doing this if you have Premium Edition (comes with ISA Server) so that you can excercise some control over what you publish and what you dont publish.
Router(config-if)#ip nat inside source list 101 interface Dialer1 overload
Router(config-if)#ip nat inside source static tcp xxx.xxx.xxx.xxx 80 interface Dialer1 80
Router(config-if)#ip nat inside source static tcp xxx.xxx.xxx.xxx 443 interface Dialer1 443
Things to change here would be the xxx.xxx.xxx.xxx which is the SBS IP address (default is 192.168.16.2)
Step 7: Disable the Router HTTP and HTTPS server so that you won’t be getting the routers login page when you try access the your-option.domain.com. Which is both annoying, could break the functionality and also is a security risk.
Router(config-if)#no ip http server
Router(config-if)#no ip http secure-server
This command will disable the WEB GUI!!!! If this is a problem consider not configuring DDNS. This command may break functionality because it also uses HTTP port 80 meaning that if you type the url the router wont know whether to give you OWA or WEB GUI. It’s a security problem because everyime someone comes to the external website on port 80 the router will ask for level 15 login and password (Cisco specific information and anyone that knows network kit knows this means Cisco kit lurks yonder) and they may well actually get into the router and factory-reset it for you should they be able to login or you haven’t chosen a secure password (which is not good).
Step 8: Configure ACLs (at least) for WAN traffic). Some ISR routers come with options of Firewall consider configuring that too. Disable CDP on external facing interfaces etc (IOW take due care and dilligence in setting up a proper secure router plus some more because you are letting the outside world into the private network).
Step 9: To Verify DDNS using the show commands
Router(config)#show ip ddns update
Alternatively you can use the debug command
Router(config-if)#debug ip ddns update
Step 10 :I’m not paranoid (all this talk of security), I just don’t like gambling with lady luck. Exposing any part of the internal network to the outside world is a security risk that can be mitigated (not totally) but controlled. Consider this and how to mitigate the risk before exposing something like SBS (which by all accounts is the Business Nervous System in a SMB).
Notes and Notices:
Anything free is meant to be taken with a pound of salt. I take no responsibility for loss or damage from implementation of the above commands on routers or networks without proper consultation and documentation done by myself in person with end-users. I do not suggest this configuration, by writing this I do not imply that this is a good idea to implement or configure in all situations.
In good afrikaans “Die is als voets-toets”.