ACL

Unanswered Question
Aug 4th, 2010

Hi

I got ACL issue,

Restricting subnet 192.168.1.0/24 to access DNS server 192.99.99.12 on port 53 only doesnt work

But if I allow as host it works.

Config

Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out

ip access-list extended DNS

permit ip 192.168.1.0 0.0.0.255 host 192.99.99.12

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Wed, 08/04/2010 - 02:25

Hi

I got ACL issue,

Restricting subnet 192.168.1.0/24 to access DNS server 192.99.99.12 on port 53 only doesnt work

But if I allow as host it works.

Config

Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out

ip access-list extended DNS

permit ip 192.168.1.0 0.0.0.255 host 192.99.99.12

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any


Hi,

You want 192.168.1.0/24 to be denied to access 192.99.99.12 then try with this ac and apply this in direction in interface vlan99

ip access-list extended deny DNS

deny ip 192.168.1.0 0.0.0.255 host 192.99.99.12 eq domain

permit ip any any

interface vlan 99

ip access-group DNS in

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

milan.kulik Wed, 08/04/2010 - 05:02

Hi Ganesh,

did you mean

ip access-list extended DNS

deny udp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq domain

deny tcp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq domain

permit ip any any

?

BR,

Milan

saquib.tandel Wed, 08/04/2010 - 14:11

My mistaken in the inital post, I was looking to get solution for

Allow Subnet 192.168.1.0 0.0.0.255 to perform DNS query only on DNS Server 192.99.99.12

What I tested and didnt work

ip access-list extended DNS

permit tcp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq 53

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any

Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out

----------------------------------------------------------------------------

What works

Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out


ip access-list extended DNS

permit ip 192.168.1.0 0.0.0.255 host 192.99.99.12

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any

here the risk that everything is allowed on DNS Server

--------------------------

Can someone help to understand why its not working

tprendergast Wed, 08/04/2010 - 14:12

DNS by default, is UDP.

Try:

ip access-list extended DNS

permit tcp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq 53

permit udp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq 53

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any

Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out

saquib.tandel Wed, 08/04/2010 - 22:31

Hi

this was tested before but didnt help.

I m gonna upgrade the IOS and see.

current IOS is 12.3

Actions

This Discussion