08-04-2010 01:29 AM - edited 03-04-2019 09:18 AM
Hi
I got ACL issue,
Restricting subnet 192.168.1.0/24 to access DNS server 192.99.99.12 on port 53 only doesnt work
But if I allow as host it works.
Config
Interface Vlan 99
ip address 192.168.1.1 255.255.255.0
ip access-group DNS in
ip access-group DNS out
ip access-list extended DNS
permit ip 192.168.1.0 0.0.0.255 host 192.99.99.12
deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
permit ip any any
08-04-2010 02:25 AM
Hi
I got ACL issue,
Restricting subnet 192.168.1.0/24 to access DNS server 192.99.99.12 on port 53 only doesnt work
But if I allow as host it works.
Config
Interface Vlan 99
ip address 192.168.1.1 255.255.255.0
ip access-group DNS in
ip access-group DNS outip access-list extended DNS
permit ip 192.168.1.0 0.0.0.255 host 192.99.99.12
deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
permit ip any any
Hi,
You want 192.168.1.0/24 to be denied to access 192.99.99.12 then try with this ac and apply this in direction in interface vlan99
ip access-list extended deny DNS
deny ip 192.168.1.0 0.0.0.255 host 192.99.99.12 eq domain
permit ip any any
interface vlan 99
ip access-group DNS in
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
08-04-2010 05:02 AM
Hi Ganesh,
did you mean
ip access-list extended DNS
deny udp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq domain
deny tcp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq domain
permit ip any any
?
BR,
Milan
08-04-2010 02:11 PM
My mistaken in the inital post, I was looking to get solution for
Allow Subnet 192.168.1.0 0.0.0.255 to perform DNS query only on DNS Server 192.99.99.12
What I tested and didnt work
ip access-list extended DNS
permit tcp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq 53
deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
permit ip any any
Interface Vlan 99
ip address 192.168.1.1 255.255.255.0
ip access-group DNS in
ip access-group DNS out
----------------------------------------------------------------------------
What works
Interface Vlan 99
ip address 192.168.1.1 255.255.255.0
ip access-group DNS in
ip access-group DNS out
ip access-list extended DNS
permit ip 192.168.1.0 0.0.0.255 host 192.99.99.12
deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
permit ip any any
here the risk that everything is allowed on DNS Server
--------------------------
Can someone help to understand why its not working
08-04-2010 02:12 PM
DNS by default, is UDP.
Try:
ip access-list extended DNS
permit tcp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq 53
permit udp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq 53
deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
permit ip any any
Interface Vlan 99
ip address 192.168.1.1 255.255.255.0
ip access-group DNS in
ip access-group DNS out
08-04-2010 10:31 PM
Hi
this was tested before but didnt help.
I m gonna upgrade the IOS and see.
current IOS is 12.3
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide