ACLs not working for ping/dns and other router operations

Unanswered Question
Apr 17th, 2009
User Badges:

I have an 1800 series router configured with reflexive ACLs that is working just fine for traffic passing between the internal and external interfaces.


The issue I'm having is that if I ping or use DNS from the ios command line, the traffic doesn't appear to get added to the reflexive ACL for the inbound interface. It's as if traffic from IOS itself bypasses by outbound ACL. How do I resolve this?


if I just put permit ip any any on the inbound ACL, everything works, but that defeats the purpose of my original relexive ACL.


thanks, Simon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 04/17/2009 - 10:29
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Simon


"It's as if traffic from IOS itself bypasses by outbound ACL. How do I resolve this?"


This is exactly what happens ie. an outbound acl has no effect on traffic orginated by the router. This is normal behaviour so you don't really resolve it.


Jon

Richard Burts Fri, 04/17/2009 - 10:38
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Simon


In fact packets generated by the router itself do bypass outbound access lists. I have not been in this particular situation, so I do not have any solution from experience. But it seems to me that you certainly do not want permit ip any any, but perhaps you can develop a list of the things that you do send from the router and put in permits for that specific traffic to that specific destination address. Or perhaps you might put in:

permit ip any host

which would permit only things addressed to the router interface.


HTH


Rick

simonwynn Fri, 04/17/2009 - 10:59
User Badges:

Yes, I plan on constructing ACLs for the specific things I need, mainly DNS. The issue with an ACL for the outside interface is that it's a DHCP enabled WAN port so I don't have the IP address as a constant value.


so for DNS is has to be:

permit udp host eq domain any


Simon

Actions

This Discussion