ACLs not working for ping/dns and other router operations

Unanswered Question
Apr 17th, 2009

I have an 1800 series router configured with reflexive ACLs that is working just fine for traffic passing between the internal and external interfaces.

The issue I'm having is that if I ping or use DNS from the ios command line, the traffic doesn't appear to get added to the reflexive ACL for the inbound interface. It's as if traffic from IOS itself bypasses by outbound ACL. How do I resolve this?

if I just put permit ip any any on the inbound ACL, everything works, but that defeats the purpose of my original relexive ACL.

thanks, Simon

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 04/17/2009 - 10:29

Simon

"It's as if traffic from IOS itself bypasses by outbound ACL. How do I resolve this?"

This is exactly what happens ie. an outbound acl has no effect on traffic orginated by the router. This is normal behaviour so you don't really resolve it.

Jon

Richard Burts Fri, 04/17/2009 - 10:38

Simon

In fact packets generated by the router itself do bypass outbound access lists. I have not been in this particular situation, so I do not have any solution from experience. But it seems to me that you certainly do not want permit ip any any, but perhaps you can develop a list of the things that you do send from the router and put in permits for that specific traffic to that specific destination address. Or perhaps you might put in:

permit ip any host

which would permit only things addressed to the router interface.

HTH

Rick

simonwynn Fri, 04/17/2009 - 10:59

Yes, I plan on constructing ACLs for the specific things I need, mainly DNS. The issue with an ACL for the outside interface is that it's a DHCP enabled WAN port so I don't have the IP address as a constant value.

so for DNS is has to be:

permit udp host eq domain any

Simon

Actions

This Discussion