Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX ACL Question (v7.2)

Can someone explain to me what the difference in the following 2 ACLs are :

access-list outside_acl extended permit udp any any eq 4500

access-list outside_acl extended permit udp any eq domain any

This is the access-list applied to my outside interface. (in interface outside)

The "domain" entry is one that I inherited and is the only one formatted SOURCE PROTOCOL DESTINATION

All others are formatted SOURCE DESTINATION PROTOCOL

I have googled this till I'm blue in the clicker and I see lots of reference to the exact same entry but no one ever explains exactly "what it does" or why it is "formatted" like that.

Thanks in advance for the assistance...

1 ACCEPTED SOLUTION

Accepted Solutions

Re: PIX ACL Question (v7.2)

The difference is:-

access-list outside_acl extended permit udp any any eq 4500 - allows any source to any destination, as long as the destination UDP port equals 4500

access-list outside_acl extended permit udp any eq domain any - allows any source to any destinaton as long as the source UDP port is 53

HTH>

4 REPLIES

Re: PIX ACL Question (v7.2)

The difference is:-

access-list outside_acl extended permit udp any any eq 4500 - allows any source to any destination, as long as the destination UDP port equals 4500

access-list outside_acl extended permit udp any eq domain any - allows any source to any destinaton as long as the source UDP port is 53

HTH>

Community Member

Re: PIX ACL Question (v7.2)

That is exactly what I was looking for. One more question. Still not sure why the DNS entry would be on my outside interface as I can think of no reason why someone coming in from outside would need this access.

We do have local DNS on a box inside and and our main DNS is provided by ISP.

Any good reason you can think of for having this entry?

Thanks again....

Hall of Fame Super Blue

Re: PIX ACL Question (v7.2)

Lonnie

"Any good reason you can think of for having this entry?"

If you are not hosting a DNS server internally that answers requests from the Internet then no i can't see a good reason. Even if you were you would expect the destination to be tied down to at least just your DNS servers.

As UDP is pseudo-stateful on the pix, ie a timer is used, then any connections initiated from the inside would not need a line in the outside acl.

Perhaps the previous admin was trying to get something working, tried that line and forgot to take it out. Surprising how often that happens :-)

Jon

Community Member

Re: PIX ACL Question (v7.2)

Thanks much for the confirmation on my suspicion...think I'll remove and see what happens. Cheers

139
Views
0
Helpful
4
Replies
CreatePlease to create content