Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL

Hi

I got ACL issue,

Restricting subnet 192.168.1.0/24 to access DNS server 192.99.99.12 on port 53 only doesnt work

But if I allow as host it works.

Config

Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out

ip access-list extended DNS

permit ip 192.168.1.0 0.0.0.255 host 192.99.99.12

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any

5 REPLIES

Re: ACL

Hi

I got ACL issue,

Restricting subnet 192.168.1.0/24 to access DNS server 192.99.99.12 on port 53 only doesnt work

But if I allow as host it works.

Config

Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out

ip access-list extended DNS

permit ip 192.168.1.0 0.0.0.255 host 192.99.99.12

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any


Hi,

You want 192.168.1.0/24 to be denied to access 192.99.99.12 then try with this ac and apply this in direction in interface vlan99

ip access-list extended deny DNS

deny ip 192.168.1.0 0.0.0.255 host 192.99.99.12 eq domain

permit ip any any

interface vlan 99

ip access-group DNS in

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Re: ACL

Hi Ganesh,

did you mean

ip access-list extended DNS

deny udp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq domain

deny tcp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq domain

permit ip any any

?

BR,

Milan

New Member

Re: ACL

My mistaken in the inital post, I was looking to get solution for

Allow Subnet 192.168.1.0 0.0.0.255 to perform DNS query only on DNS Server 192.99.99.12

What I tested and didnt work

ip access-list extended DNS

permit tcp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq 53

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any

Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out

----------------------------------------------------------------------------

What works

Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out


ip access-list extended DNS

permit ip 192.168.1.0 0.0.0.255 host 192.99.99.12

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any

here the risk that everything is allowed on DNS Server

--------------------------

Can someone help to understand why its not working

Re: ACL

DNS by default, is UDP.

Try:

ip access-list extended DNS

permit tcp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq 53

permit udp 192.168.1.0 0.0.0.255 host 192.99.99.12 eq 53

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.1.255
  permit ip any any

Interface Vlan 99

ip address 192.168.1.1 255.255.255.0

ip access-group DNS in
ip access-group DNS out

New Member

Re: ACL

Hi

this was tested before but didnt help.

I m gonna upgrade the IOS and see.

current IOS is 12.3

202
Views
0
Helpful
5
Replies