07-09-2009 07:41 AM - edited 03-11-2019 08:53 AM
Can someone explain to me what the difference in the following 2 ACLs are :
access-list outside_acl extended permit udp any any eq 4500
access-list outside_acl extended permit udp any eq domain any
This is the access-list applied to my outside interface. (in interface outside)
The "domain" entry is one that I inherited and is the only one formatted SOURCE PROTOCOL DESTINATION
All others are formatted SOURCE DESTINATION PROTOCOL
I have googled this till I'm blue in the clicker and I see lots of reference to the exact same entry but no one ever explains exactly "what it does" or why it is "formatted" like that.
Thanks in advance for the assistance...
Solved! Go to Solution.
07-09-2009 08:10 AM
The difference is:-
access-list outside_acl extended permit udp any any eq 4500 - allows any source to any destination, as long as the destination UDP port equals 4500
access-list outside_acl extended permit udp any eq domain any - allows any source to any destinaton as long as the source UDP port is 53
HTH>
07-09-2009 08:10 AM
The difference is:-
access-list outside_acl extended permit udp any any eq 4500 - allows any source to any destination, as long as the destination UDP port equals 4500
access-list outside_acl extended permit udp any eq domain any - allows any source to any destinaton as long as the source UDP port is 53
HTH>
07-09-2009 09:49 AM
That is exactly what I was looking for. One more question. Still not sure why the DNS entry would be on my outside interface as I can think of no reason why someone coming in from outside would need this access.
We do have local DNS on a box inside and and our main DNS is provided by ISP.
Any good reason you can think of for having this entry?
Thanks again....
07-09-2009 10:14 AM
Lonnie
"Any good reason you can think of for having this entry?"
If you are not hosting a DNS server internally that answers requests from the Internet then no i can't see a good reason. Even if you were you would expect the destination to be tied down to at least just your DNS servers.
As UDP is pseudo-stateful on the pix, ie a timer is used, then any connections initiated from the inside would not need a line in the outside acl.
Perhaps the previous admin was trying to get something working, tried that line and forgot to take it out. Surprising how often that happens :-)
Jon
07-09-2009 11:35 AM
Thanks much for the confirmation on my suspicion...think I'll remove and see what happens. Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide