ACL

Unanswered Question
Aug 4th, 2010
User Badges:

Hi


I got ACL issue,

Restricting subnet 192.168.1.0/24 to access DNS server 192.99.99.12 on port 53 only doesnt work

But if I allow as host it works.


Config


Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out


ip access-list extended DNS

permit ip 192.168.1.0 0.0.0.255 host 192.99.99.12

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Wed, 08/04/2010 - 02:25
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi


I got ACL issue,

Restricting subnet 192.168.1.0/24 to access DNS server 192.99.99.12 on port 53 only doesnt work

But if I allow as host it works.


Config


Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out


ip access-list extended DNS

permit ip 192.168.1.0 0.0.0.255 host 192.99.99.12

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any


Hi,


You want 192.168.1.0/24 to be denied to access 192.99.99.12 then try with this ac and apply this in direction in interface vlan99


ip access-list extended deny DNS

deny ip 192.168.1.0 0.0.0.255 host 192.99.99.12 eq domain

permit ip any any


interface vlan 99

ip access-group DNS in


Hope to Help !!


Ganesh.H


Remember to rate the helpful post

milan.kulik Wed, 08/04/2010 - 05:02
User Badges:
  • Red, 2250 points or more

Hi Ganesh,


did you mean

ip access-list extended DNS

deny udp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq domain

deny tcp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq domain

permit ip any any

?


BR,

Milan

saquib.tandel Wed, 08/04/2010 - 14:11
User Badges:

My mistaken in the inital post, I was looking to get solution for


Allow Subnet 192.168.1.0 0.0.0.255 to perform DNS query only on DNS Server 192.99.99.12


What I tested and didnt work


ip access-list extended DNS

permit tcp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq 53

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any


Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out


----------------------------------------------------------------------------


What works


Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out


ip access-list extended DNS

permit ip 192.168.1.0 0.0.0.255 host 192.99.99.12

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any


here the risk that everything is allowed on DNS Server



--------------------------


Can someone help to understand why its not working

tprendergast Wed, 08/04/2010 - 14:12
User Badges:
  • Silver, 250 points or more

DNS by default, is UDP.


Try:



ip access-list extended DNS

permit tcp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq 53

permit udp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq 53

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any


Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out

saquib.tandel Wed, 08/04/2010 - 22:31
User Badges:

Hi


this was tested before but didnt help.

I m gonna upgrade the IOS and see.


current IOS is 12.3

Actions

This Discussion