Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
318
Views
0
Helpful
4
Replies

PIX ACL Question (v7.2)

Go to solution
nagel
Level 1
Level 1

‎07-09-2009 07:41 AM - edited ‎03-11-2019 08:53 AM

Can someone explain to me what the difference in the following 2 ACLs are :

access-list outside_acl extended permit udp any any eq 4500

access-list outside_acl extended permit udp any eq domain any

This is the access-list applied to my outside interface. (in interface outside)

The "domain" entry is one that I inherited and is the only one formatted SOURCE PROTOCOL DESTINATION

All others are formatted SOURCE DESTINATION PROTOCOL

I have googled this till I'm blue in the clicker and I see lots of reference to the exact same entry but no one ever explains exactly "what it does" or why it is "formatted" like that.

Thanks in advance for the assistance...

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.prince
Level 10
Level 10

‎07-09-2009 08:10 AM

The difference is:-

access-list outside_acl extended permit udp any any eq 4500 - allows any source to any destination, as long as the destination UDP port equals 4500

access-list outside_acl extended permit udp any eq domain any - allows any source to any destinaton as long as the source UDP port is 53

HTH>

View solution in original post

0 Helpful
4 Replies 4

Go to solution
andrew.prince
Level 10
Level 10

‎07-09-2009 08:10 AM

The difference is:-

access-list outside_acl extended permit udp any any eq 4500 - allows any source to any destination, as long as the destination UDP port equals 4500

access-list outside_acl extended permit udp any eq domain any - allows any source to any destinaton as long as the source UDP port is 53

HTH>

0 Helpful

Go to solution
nagel
Level 1
Level 1
In response to andrew.prince

‎07-09-2009 09:49 AM

That is exactly what I was looking for. One more question. Still not sure why the DNS entry would be on my outside interface as I can think of no reason why someone coming in from outside would need this access.

We do have local DNS on a box inside and and our main DNS is provided by ISP.

Any good reason you can think of for having this entry?

Thanks again....

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to nagel

‎07-09-2009 10:14 AM

Lonnie

"Any good reason you can think of for having this entry?"

If you are not hosting a DNS server internally that answers requests from the Internet then no i can't see a good reason. Even if you were you would expect the destination to be tied down to at least just your DNS servers.

As UDP is pseudo-stateful on the pix, ie a timer is used, then any connections initiated from the inside would not need a line in the outside acl.

Perhaps the previous admin was trying to get something working, tried that line and forgot to take it out. Surprising how often that happens :-)

Jon

0 Helpful

Go to solution
nagel
Level 1
Level 1
In response to Jon Marshall

‎07-09-2009 11:35 AM

Thanks much for the confirmation on my suspicion...think I'll remove and see what happens. Cheers

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card