09-26-2002 09:39 AM - edited 03-02-2019 01:40 AM
This is so stupid, I'm embarrased to ask. I can't for the life of me figure out why this simple access list won't work!
interface Ethernet0
ip address 192.168.10.1 255.255.255.0
ip access-group 101 in
access-list 101 permit tcp any any eq domain
access-list 101 permit udp any any eq domain
access-list 101 permit icmp any any echo-reply
When I try to ping a domain name, I get no reply. If I remove the access list, I can ping whatever I want. I know it's something simple, but I'm stumped!!!
HELP
Jim
09-26-2002 09:52 AM
I assume e0 is your inside/lan interface. Therefore you should allow echo, not echo-reply (echo-reply were if the acl were applied outbound). If it were your outside interface, allow echo-reply (if applied inbound) or echo (if the acl were applied outbound).
Hope it helps.
Steve
09-26-2002 10:14 AM
Thanks for your reply. Yeah, the issue is not the echo/echo-reply. I can't seem to get a response allowed through for the dns request. Prelimiary troubleshooting shows that the response coming back from the dns request is coming back on port 1044 and not on prot 53 as was expected. This seems to happen if I'm connected to the internet or just testing in the shop. The return port (in this case 1044), may be different but the overall result is the same. I was always lead to believe that if the request went out as UDP port 53 and that the response back was not TCP, I would get it back on port 53. That's what got me going.
By the way, if I allow port 1044 and the response to the dns request is sending via port 1044, everything is o.k.
Jim
09-27-2002 06:03 AM
When your local DNS server contacts the root server, it makes the request on port 53. However, the root server will respond on an upper random port. Here's how I deal with this in our network.
access-list 105 deny tcp any host 24.221.248.5 eq 22
access-list 105 deny tcp any host 24.221.248.5 eq telnet
access-list 105 permit ip any host 24.221.248.5
This will prevent people on the internet from accessing your DNS server, while keeping it open for DNS lookups to the root server. IMPORTANT: Be sure your DNS server is as secure as possible, don't run any services that are not absolutely necessary. The more ports you have open, the more vulnerable it is!
09-27-2002 06:13 AM
Thanks for your help!!!
09-29-2002 02:30 PM
Or you can add this
access-list 105 permit udp any eq domain 192.168.10.0 0.0.0.255
This will accept any source udp 53 to 192.168.10.0/24
Travers
09-30-2002 06:03 AM
Thanks for your reply. I think my misunderstanding lies in that when you send a DNS request to the internet, the source port is something other than 53 (which is the destination port, of course). When a reply comes back, the source port will be 53 but the destination port will be whatever the workstation sent out. Simple, huh? But it took lots of debugging for me to get it! I guess I'm just slow.
10-01-2002 05:56 PM
The DNS server is sending requests to other DNS servers. Your ACL needs to allow the replies. Allow by adding the keyword established to the end of the permit statement, it will allow the repy from any port.
access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established
use the IP of you DNS server above.
10-02-2002 06:06 AM
Thanks for your reply
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide