Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access List in my Router

I have a Cisco Router 2610 and IOS ver 12.0

and under Serial interface (Access-list) there is a statement (Permit udp any x.x.x.x lt 6901)

if I remove it no one can access to the Internet

as you know the DNS request need udp session and port 53 only why do I need (lt 6901)

I mean (Permit udp statement any x.x.x.x eq 53)

Any comment?

3 REPLIES
New Member

Re: Access List in my Router

An Access list carries an implicit deny all at the end of the list. That is, unless you have an explicit "permit" statement, the traffic will be denied by default.

Re: Access List in my Router

hi,

the statement defines permission of any packet with port no less than 6901

dns falls under this.. but other ports will be used.. say u have a web server.. the source port of packets going out of the web server will be 80 and so on...

bye

shanky

New Member

Re: Access List in my Router

When a DNS query is made it is always done so on port 53 but the reply to the same is received on any available higher number port ( > 1024).

6901 is an arbritrary port that has been selected by whoever has set the access-list, since the reply might also come on any port greater than that( unless it is a DNS to DNS request).

This might result in a few connection being lost, so a safer statement to use would be

Permit udp any x.x.x.x gt 1024

This will allow all dns replies coming in to reach the proxy.

Rajat

118
Views
0
Helpful
3
Replies