Can you guys please help me understand why the line
permit udp any eq domain host 220.127.116.11
which is part of the ACL applied to the outside interface in the IN direction allows my internal users to properly browse the internet sites by name?
If I dont have this statement, my internal users can't resolve anything by name. We use public DNS servers in our PC's tcp/ip settings like 18.104.22.168
I'm confused because everything outbound is allowed in my network and I know that when we browse to a site, for example google.com, the internal host places a DNS query to its DNS server, in this case 22.214.171.124 which is a public DNS server. So, the internal host sends out this query to port 53 to the public DNS, and because it is an outbound traffic, it is allowed and thus should not be asking for that statement to work... this is why Im confused.
Also, as far as I understand, returned traffic for a connection that originated o nthe inside is also allowed by this statement
permit tcp any any established
This is why I even get more confused but there must be something I am missing with regards to DNS resolution.
Any help or links that can help me understand this?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...