Problem ACL on VLAN outb?

Unanswered Question
Mar 5th, 2008

We have a server in a vlan with an ACL outb out on it to permit traffic from outside the ACL to the server.



ip access-list extended vlan320-outb

permit tcp any x.x.x.x x.x.x.x established

permit tcp any host eq 80

deny ip any any log

interface Vlan320

ip access-group vlan320-outb out


This works from outside the www webpage is displayed.

However when the server wants to connect to the internet this does not work. When we ping the name cannot be resolved by our internal DNS server.

Inbound there is no rule (we tried inbound with permit ip any any) but this doesn't also work.

I think it has something to do with udp packets that traverse to the vlan that is blocked. So the query goes outbound to the dns server but the answer of the dns server is blocked by the ACL outb (vlan320-outb).

How can we solve this problem?

When I remove the ACL it works, also when i put a line permit ip any any on the bottom of the ACL (outb).



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Wed, 03/05/2008 - 08:36


Your understanding of the issue is exactly correct. Your access list has 2 permit conditions. And the UDP packets for DNS do not fit either of those conditions. So the DNS response is denied and dropped. You would fix this issue by adding a permit statement in the access list for DNS (which is UDP port 53).



MJonkers Fri, 03/07/2008 - 00:48

Hi Rick,

That's not gonna work because the returning port will not be udp 53 but a port somewhere greater then 1024. So I can solve this with permit udp any host x.x.x.x gt 1024 but ok this is not secure. So the only thing I can do to make it secure is to install a firewall because the firewall will track al ports and the associated host with this port.



Richard Burts Sat, 03/08/2008 - 10:38


In a DNS packet at least one port will be UDP 53. You are correct that usually the destination may be some high port. But the source port will be UDP 53. If you want to make it secure filter on the source port.




This Discussion