Re: inbound access-list

jgadbois · ‎09-26-2002

This is so stupid, I'm embarrased to ask. I can't for the life of me figure out why this simple access list won't work!

interface Ethernet0

ip address 192.168.10.1 255.255.255.0

ip access-group 101 in

access-list 101 permit tcp any any eq domain

access-list 101 permit udp any any eq domain

access-list 101 permit icmp any any echo-reply

When I try to ping a domain name, I get no reply. If I remove the access list, I can ping whatever I want. I know it's something simple, but I'm stumped!!!

HELP

Jim

steve.barlow · ‎09-26-2002

I assume e0 is your inside/lan interface. Therefore you should allow echo, not echo-reply (echo-reply were if the acl were applied outbound). If it were your outside interface, allow echo-reply (if applied inbound) or echo (if the acl were applied outbound).

Hope it helps.

Steve

jgadbois · ‎09-26-2002

Thanks for your reply. Yeah, the issue is not the echo/echo-reply. I can't seem to get a response allowed through for the dns request. Prelimiary troubleshooting shows that the response coming back from the dns request is coming back on port 1044 and not on prot 53 as was expected. This seems to happen if I'm connected to the internet or just testing in the shop. The return port (in this case 1044), may be different but the overall result is the same. I was always lead to believe that if the request went out as UDP port 53 and that the response back was not TCP, I would get it back on port 53. That's what got me going.

By the way, if I allow port 1044 and the response to the dns request is sending via port 1044, everything is o.k.

Jim

lwantland · ‎09-27-2002

When your local DNS server contacts the root server, it makes the request on port 53. However, the root server will respond on an upper random port. Here's how I deal with this in our network.

access-list 105 deny tcp any host 24.221.248.5 eq 22

access-list 105 deny tcp any host 24.221.248.5 eq telnet

access-list 105 permit ip any host 24.221.248.5

This will prevent people on the internet from accessing your DNS server, while keeping it open for DNS lookups to the root server. IMPORTANT: Be sure your DNS server is as secure as possible, don't run any services that are not absolutely necessary. The more ports you have open, the more vulnerable it is!

jgadbois · ‎09-27-2002

Thanks for your help!!!

travers.stark · ‎09-29-2002

Or you can add this

access-list 105 permit udp any eq domain 192.168.10.0 0.0.0.255

This will accept any source udp 53 to 192.168.10.0/24

Travers

jgadbois · ‎09-30-2002

Thanks for your reply. I think my misunderstanding lies in that when you send a DNS request to the internet, the source port is something other than 53 (which is the destination port, of course). When a reply comes back, the source port will be 53 but the destination port will be whatever the workstation sent out. Simple, huh? But it took lots of debugging for me to get it! I guess I'm just slow.

meizismark · ‎10-01-2002

The DNS server is sending requests to other DNS servers. Your ACL needs to allow the replies. Allow by adding the keyword established to the end of the permit statement, it will allow the repy from any port.

access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established

use the IP of you DNS server above.

jgadbois · ‎10-02-2002

Thanks for your reply