I assume e0 is your inside/lan interface. Therefore you should allow echo, not echo-reply (echo-reply were if the acl were applied outbound). If it were your outside interface, allow echo-reply (if applied inbound) or echo (if the acl were applied outbound).
Thanks for your reply. Yeah, the issue is not the echo/echo-reply. I can't seem to get a response allowed through for the dns request. Prelimiary troubleshooting shows that the response coming back from the dns request is coming back on port 1044 and not on prot 53 as was expected. This seems to happen if I'm connected to the internet or just testing in the shop. The return port (in this case 1044), may be different but the overall result is the same. I was always lead to believe that if the request went out as UDP port 53 and that the response back was not TCP, I would get it back on port 53. That's what got me going.
By the way, if I allow port 1044 and the response to the dns request is sending via port 1044, everything is o.k.
When your local DNS server contacts the root server, it makes the request on port 53. However, the root server will respond on an upper random port. Here's how I deal with this in our network.
access-list 105 deny tcp any host 220.127.116.11 eq 22
access-list 105 deny tcp any host 18.104.22.168 eq telnet
access-list 105 permit ip any host 22.214.171.124
This will prevent people on the internet from accessing your DNS server, while keeping it open for DNS lookups to the root server. IMPORTANT: Be sure your DNS server is as secure as possible, don't run any services that are not absolutely necessary. The more ports you have open, the more vulnerable it is!
Thanks for your reply. I think my misunderstanding lies in that when you send a DNS request to the internet, the source port is something other than 53 (which is the destination port, of course). When a reply comes back, the source port will be 53 but the destination port will be whatever the workstation sent out. Simple, huh? But it took lots of debugging for me to get it! I guess I'm just slow.
The DNS server is sending requests to other DNS servers. Your ACL needs to allow the replies. Allow by adding the keyword established to the end of the permit statement, it will allow the repy from any port.
access-list 102 permit tcp any 126.96.36.199 0.0.255.255 established
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.