Problem

In the Technical
Q&A
, member drsysadmin@hotmail.com
posted a detailed description of a problem with a Cisco router: “I am
creating an IP extended access control list (ACL) on a Cisco 1700 series router.
The ACL is to be applied on Serial0 (WAN interface) and will filter incoming (Internet
to network) packets for security purposes. Standard ports 25, 80, 110, and 443
are permitted, as well as one port for VPN. Specified ports are opened for both
TCP and UDP. In addition, ‘established’ connections are also permitted. The
problem comes on DNS. Port 53 is supposed to be the standard DNS port. I have
opened port 53 for UDP and TCP, yet as soon as the filter is applied, no
internal machine can do DNS resolution (note: our DNS server is an external
provider’s machine). If I remove the ACL, the ‘Internet comes back on’ as one
developer stated. Command line DNS also fails, so it is definitely DNS that is
dying because of the ACL. All statements in the ACL are permits at this point,
allowing the implicit ‘Deny any any’ to cover what I do not manually open. So
its not a misconfigured deny statement. No filters are applied to the LAN interface,
so they default to ‘permit any any’ in both directions. There is no outgoing
filter on the WAN interface, so it also has ‘permit any any’ permissions.”

Solution

Member Srikrishna
provided the missing statement that was needed to allow DNS requests to pass
through the ACL:

access-list ### permit
udp host “ip.of.name.server” any gt 1023

Srikrishna also commented, “DNS works on UDP. Try
opening higher ports from the server.”

In response, drsysadmin@hotmail.com said, “This
resolved my issue perfectly. With the host command I can specify that the
response is from the server required.”


Note

The text of discussion posts from TechRepublic members has
been slightly edited for spelling, punctuation, and clarity.