return traffic acl issues

Unanswered Question
Jul 1st, 2007

I have a 1721 router at home as my gateway to the internet and firewall, running fw ios 12.3.22. i have 5 static ips and currently using 2 internal networks each one on a different public ip. i have overloaded nat set up and the actual ip on the internet facing interface is in the middle of my range and at the moment not in use. the problem im having is return udp traffic. I do not want to permit everything inbound on the wan side so i set up an access list to allow the inbound traffic i needed and return udp traffic. The problem so far has been DNS. When i looked at the logged blocks it looks like the return dns traffic is going to a different port then 53. I am guessing this is due to the natting but i do not know what the best way to get around this is. i have the permit any any eq 53 but because the retrun traffic seems to be coming in on a different port.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ryancolson Sun, 07/01/2007 - 19:55

i have a line in there

access-list 101 permit udp any any eq 53

I had the denied traffic loged and the dest. port on the return dns querys wasnt port 53

ryancolson Mon, 07/02/2007 - 05:11

so the acl for any return udp traffic would be

permit udp any eq any?

acomiskey Mon, 07/02/2007 - 05:26

Yes, palomoj has this right. The return traffic would have a source port of 53 and a destination port of any.

ryancolson Mon, 07/02/2007 - 05:29

Thank you very much. I am still kinda new at this and i really appreciate you guys helping me out. Also just out of curiosity is their any way to make all blocked ports not respond instead of responding as closed or blocked(to stealth them)


This Discussion