1. Home
  2. Cisco Systems
  3. ACL blocking dns

ACL blocking dns

i got a problem where when I bind the following acl inbound my dns server can no longer query therefore takes down the internet. The list is bound to a multilink interface 2 X t-1 like so: ip access-group 101 in I even tried ip access-group 101 out This is running nat on the f0 being the inside that is working fine w/ o the acl All the rules below even seem to work when the acl is applied. I can rdp to servers and everything.

Any ideas?

I got the following ACL

access-list 101 permit tcp any host 69.71.225.56 eq 8000 access-list 101 permit tcp any host 69.71.225.56 eq smtp access-list 101 permit tcp any host 69.71.225.57 eq www access-list 101 permit tcp any host 69.71.225.57 eq 3389 access-list 101 permit tcp any host 69.71.225.57 eq 2000 access-list 101 permit tcp any host 69.71.225.57 eq 2001 access-list 101 permit tcp any host 69.71.225.57 eq 2002 access-list 101 permit tcp any host 69.71.225.57 eq 2003 access-list 101 permit tcp any host 69.71.225.57 eq 2004 access-list 101 permit tcp any host 69.71.225.57 eq 2005 access-list 101 permit tcp any host 69.71.225.57 eq 2006 access-list 101 permit tcp any host 69.71.225.57 eq 2007 access-list 101 permit tcp any host 69.71.225.57 eq 2008 access-list 101 permit tcp any host 69.71.225.57 eq 2009 access-list 101 permit tcp any host 69.71.225.57 eq 2100 access-list 101 permit tcp any host 69.71.225.57 eq 2103 access-list 101 permit tcp any host 69.71.225.57 eq 11057 access-list 101 permit tcp any host 69.71.225.57 eq ftp-data access-list 101 permit tcp any host 69.71.225.58 eq 3389 access-list 101 permit tcp 68.70.207.0 0.0.0.255 host 66.71.225.59 eq

389 access-list 101 permit tcp any host 69.71.225.59 eq www access-list 101 permit tcp any host 69.71.225.59 eq smtp access-list 101 permit tcp any host 69.71.225.59 eq pop3 access-list 101 permit tcp any host 69.71.225.59 eq 143 access-list 101 permit tcp any host 69.71.225.59 eq 3389 access-list 101 permit tcp any host 69.71.225.59 eq 8383 access-list 101 permit tcp any host 69.71.225.50 eq 3389 access-list 101 permit tcp any host 69.71.225.51 eq 3389 access-list 101 permit tcp any host 69.71.225.52 eq 3389 access-list 101 permit icmp any host 69.102.105.134 access-list 101 permit ip any host 69.4.212.98 access-list 101 permit icmp any host 69.4.212.98 access-list 101 permit esp any host 69.4.212.98 access-list 101 permit udp any any eq domain access-list 101 permit tcp any any eq domain
Reply to
jcle
Loading thread data ...

Try changing these lines to: access-list 101 permit udp any any eq domain access-list 101 permit tcp any any eq domain to: access-list 101 permit udp any eq domain any access-list 101 permit tcp any eq domain any

For inbound traffic, the souce port of DNS traffic originally sent out as a DNS query will be 53 (domain). Your original ACL allows inbound DNS queries, not outbound queries.

Reply to
Thrill5

When your inside queries to the outside, the source port will not usually be 53, but the destination port (the place being queried) will be 53. When the response comes back, the source port of the response will be 53, but the destination port inside will be whichever port the DNS server (or client) used to query the outside.

This, in order for responses to get back properly, you would want to add

access-list 101 permit udp any eq domain host DNSSERVER access-list 101 permit tcp any eq domain host DNSSERVER

Reply to
Walter Roberson

Although this doesn't relate to your original question (answered by another poster), you might consider consolidating the block of ACEs above with the following:

access-list 101 permit tcp any host 69.71.225.57 range 2000 2009

Depending on your IOS release, you may be able to specify "non-contiguous" ports in the same ACE. The block of ACEs above could be represented as:

access-list 101 permit tcp any host 69.71.225.57 eq 2100 2103 11057 ftp-data

Note: I have not actually tried this with a "numbered" ACL, but I am using it in my named ACLs.

The feature is called: "Named ACL Support for Noncontiguous Ports on an Access Control Entry"

Best Regards, News Reader

Reply to
News Reader

That is very nice - thanks.

Reply to
Bod43

Aside from your original query, here is a tip: Consolidate multiple lines of your access-list like this:

access-list 101 permit tcp any host 69.71.225.57 range 2000 2009 and access-list 101 permit tcp any 69.71.225.50 0.0.0.1 eq 3389 access-list 101 permit tcp any host 69.71.225.52 eq 3389

-----

Scott Perry Indianapolis, IN

-----

Reply to
Scott Perry

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.