Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
482
Views
0
Helpful
4
Replies

ACLs not working for ping/dns and other router operations

simonwynn
Level 1
Level 1

‎04-17-2009 10:26 AM - edited ‎03-06-2019 05:15 AM

I have an 1800 series router configured with reflexive ACLs that is working just fine for traffic passing between the internal and external interfaces.

The issue I'm having is that if I ping or use DNS from the ios command line, the traffic doesn't appear to get added to the reflexive ACL for the inbound interface. It's as if traffic from IOS itself bypasses by outbound ACL. How do I resolve this?

if I just put permit ip any any on the inbound ACL, everything works, but that defeats the purpose of my original relexive ACL.

thanks, Simon

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎04-17-2009 10:29 AM

Simon

"It's as if traffic from IOS itself bypasses by outbound ACL. How do I resolve this?"

This is exactly what happens ie. an outbound acl has no effect on traffic orginated by the router. This is normal behaviour so you don't really resolve it.

Jon

0 Helpful

simonwynn
Level 1
Level 1
In response to Jon Marshall

‎04-17-2009 10:31 AM

Ok, thanks - saved me a lot of time.

Simon

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎04-17-2009 10:38 AM

Simon

In fact packets generated by the router itself do bypass outbound access lists. I have not been in this particular situation, so I do not have any solution from experience. But it seems to me that you certainly do not want permit ip any any, but perhaps you can develop a list of the things that you do send from the router and put in permits for that specific traffic to that specific destination address. Or perhaps you might put in:

permit ip any host

which would permit only things addressed to the router interface.

HTH

Rick

HTH

Rick
0 Helpful

simonwynn
Level 1
Level 1
In response to Richard Burts

‎04-17-2009 10:59 AM

Yes, I plan on constructing ACLs for the specific things I need, mainly DNS. The issue with an ACL for the outside interface is that it's a DHCP enabled WAN port so I don't have the IP address as a constant value.

so for DNS is has to be:

permit udp host eq domain any

Simon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card