Problem ACL on VLAN outb?

Unanswered Question
Mar 5th, 2008
User Badges:

We have a server in a vlan with an ACL outb out on it to permit traffic from outside the ACL to the server.


_________________________________________

example:


ip access-list extended vlan320-outb

permit tcp any x.x.x.x x.x.x.x established

permit tcp any host xxx.xxx.xxx.xxx eq 80

deny ip any any log


interface Vlan320

ip access-group vlan320-outb out

_________________________________________

This works from outside the www webpage is displayed.

However when the server wants to connect to the internet this does not work. When we ping http://www.microsoft.com the name cannot be resolved by our internal DNS server.

Inbound there is no rule (we tried inbound with permit ip any any) but this doesn't also work.


I think it has something to do with udp packets that traverse to the vlan that is blocked. So the query goes outbound to the dns server but the answer of the dns server is blocked by the ACL outb (vlan320-outb).

How can we solve this problem?


When I remove the ACL it works, also when i put a line permit ip any any on the bottom of the ACL (outb).


Thx,


Marc



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Wed, 03/05/2008 - 08:36
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Marc


Your understanding of the issue is exactly correct. Your access list has 2 permit conditions. And the UDP packets for DNS do not fit either of those conditions. So the DNS response is denied and dropped. You would fix this issue by adding a permit statement in the access list for DNS (which is UDP port 53).


HTH


Rick

MJonkers Fri, 03/07/2008 - 00:48
User Badges:

Hi Rick,


That's not gonna work because the returning port will not be udp 53 but a port somewhere greater then 1024. So I can solve this with permit udp any host x.x.x.x gt 1024 but ok this is not secure. So the only thing I can do to make it secure is to install a firewall because the firewall will track al ports and the associated host with this port.


Thx


Marc

Richard Burts Sat, 03/08/2008 - 10:38
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Marc


In a DNS packet at least one port will be UDP 53. You are correct that usually the destination may be some high port. But the source port will be UDP 53. If you want to make it secure filter on the source port.


HTH


Rick

Actions

This Discussion