Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

cbac and dns requests

can anyone tell me why my dns requests on cbac are not working, I allowed everything from inside out, but dns requests are not allowed for some reasons...


Building configuration...

Current configuration : 3265 bytes
!
! Last configuration change at 08:47:57 UTC Thu Jun 14 2012 by admin
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname oecl
!
boot-start-marker
boot-end-marker
!
!
logging buffered 64000
enable secret 5 $1$kIPV$0ixUVG.EY10hIznM/HN5z/
!
aaa new-model
!
!
aaa authentication login default local-case
!
!
!
!
!
aaa session-id common
!
!
no ipv6 source-route
no ipv6 cef
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.28.3.1 10.28.3.2
ip dhcp excluded-address 10.28.4.1 10.28.4.2
!
ip dhcp pool OEC2al
network 10.28.3.0 255.255.255.0
default-router 10.28.3.1
dns-server 10.28.3.1
domain-name oec2al.co.uk
lease 5
!
ip dhcp pool Wellmax
network 10.28.4.0 255.255.255.0
default-router 10.28.4.1
dns-server 10.28.4.1
lease 5
!
!
no ip bootp server
ip name-server 8.8.8.8
ip name-server 4.2.2.5
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall icmp
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2911/K9 sn FCZ1605705Q
!
!
username admin secret 5 $1$L94s$LrPxn0IWRRu74KEQvlWIL/
!
redundancy
!
!
!
!
ip tcp selective-ack
ip tcp timestamp
ip tcp path-mtu-discovery
!
!
!
!
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN
ip address 10.28.9.241 255.255.255.0
ip access-group 102 in
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
no cdp enable
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 3
ip address 10.28.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface GigabitEthernet0/1.4
encapsulation dot1Q 4
ip address 10.28.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.28.9.251
!
access-list 5 remark -=VTY local access=-
access-list 5 permit 10.28.3.0 0.0.0.255
access-list 100 remark -=NAT access=-
access-list 100 permit ip 10.28.0.0 0.0.255.255 any
access-list 101 remark -=VTY access restriction=-
access-list 101 permit ip host 181.143.217.54 any
access-list 102 remark -=Local firewall=-
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any echo-reply
access-list 102 permit ip host 181.143.217.54 any
!
no cdp run
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 5 in
transport input ssh
!
scheduler allocate 20000 1000
end

Everyone's tags (2)
4 REPLIES
Cisco Employee

cbac and dns requests

CBAC configuration looks ok. What DNS server are you using to resolve it? How do you know CBAC is blocking the DNS request?

New Member

cbac and dns requests

I have set up two public dns servers, it works ok until i enable access-list 102, i solved this problem by adding to acl 102 entry permit tcp any eq 53 any, but on different router (also 2911) everything was ok and cbac and same config were similar. What could be wrong?

Cisco Employee

cbac and dns requests

TCP/53? weird..

DNS request normally uses UDP/53, and zone transfer uses TCP/53. Not sure why your DNS request is using TCP

New Member

cbac and dns requests

My fault, of course udp not tcp, but anyway without that entry my dns not working and that is weird

842
Views
0
Helpful
4
Replies
CreatePlease to create content