Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
528
Views
0
Helpful
5
Replies

ACL

saquib.tandel
Level 1
Level 1

‎08-04-2010 01:29 AM - edited ‎03-04-2019 09:18 AM

Hi

I got ACL issue,

Restricting subnet 192.168.1.0/24 to access DNS server 192.99.99.12 on port 53 only doesnt work

But if I allow as host it works.

Config

Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out

ip access-list extended DNS

permit ip 192.168.1.0 0.0.0.255 host 192.99.99.12

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any

Labels:
0 Helpful
5 Replies 5

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎08-04-2010 02:25 AM 

Hi
I got ACL issue,
Restricting subnet 192.168.1.0/24 to access DNS server 192.99.99.12 on port 53 only doesnt work
But if I allow as host it works.
Config
Interface Vlan 99
ip address 192.168.1.1 255.255.255.0
ip access-group DNS in
ip access-group DNS out
ip access-list extended DNS
permit ip 192.168.1.0 0.0.0.255 host 192.99.99.12
deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any


Hi,

You want 192.168.1.0/24 to be denied to access 192.99.99.12 then try with this ac and apply this in direction in interface vlan99

ip access-list extended deny DNS

deny ip 192.168.1.0 0.0.0.255 host 192.99.99.12 eq domain

permit ip any any

interface vlan 99

ip access-group DNS in

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

0 Helpful

milan.kulik
Level 10
Level 10
In response to Ganesh Hariharan

‎08-04-2010 05:02 AM

Hi Ganesh,

did you mean

ip access-list extended DNS

deny udp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq domain

deny tcp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq domain

permit ip any any

?

BR,

Milan

0 Helpful

saquib.tandel
Level 1
Level 1
In response to milan.kulik

‎08-04-2010 02:11 PM

My mistaken in the inital post, I was looking to get solution for

Allow Subnet 192.168.1.0 0.0.0.255 to perform DNS query only on DNS Server 192.99.99.12

What I tested and didnt work

ip access-list extended DNS

permit tcp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq 53

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any

Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out

----------------------------------------------------------------------------

What works

Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out


ip access-list extended DNS

permit ip 192.168.1.0 0.0.0.255 host 192.99.99.12

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any

here the risk that everything is allowed on DNS Server

--------------------------

Can someone help to understand why its not working

0 Helpful

tprendergast
Level 3
Level 3
In response to saquib.tandel

‎08-04-2010 02:12 PM

DNS by default, is UDP.

Try:

ip access-list extended DNS

permit tcp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq 53

permit udp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq 53

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any

Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out

0 Helpful

saquib.tandel
Level 1
Level 1
In response to tprendergast

‎08-04-2010 10:31 PM

Hi

this was tested before but didnt help.

I m gonna upgrade the IOS and see.

current IOS is 12.3

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card