Security·4,733 discussions

Router configuration – ACL issue

Locked

Am creating an IP extended ACL on a cisco 1700 series. The ACL is to be applied on Serial0 (WAN interface) and will filter incoming (internet to network) packets for security purposes. Standard ports 25, 80, 110, 443 are permitted, as well as one port for VPN. Specified ports are opened for both TCP and UDP. In addition, “established” connections are also permitted. The problem comes on DNS. Port 53 is supposed to be the standard DNS port – have opened port 53 for UDP and TCP, yet as soon as the filter is applied, no internal machine can do DNS resolution. (Note – DNS server is an external network provider machine.) If I remove the ACL, the “internet comes back on” as one developer stated. Command line DNS also fails, so it is definitely DNS that is dying on the ACL. All statements in the ACL are permits at this point, allowing the implicit Deny any any to cover what I do not manually open. So its not a misconfigured deny statement. No filters are applied to the LAN interface – so they default to permit any any in both directions. There is no outgoing filter on the Wan interface, so it also is permit any any.

Ideas? Thanks in advance.
Dr. Sys

Topic

Reply To: Router configuration – ACL issue

In reply to Router configuration – ACL issue

access-list ### permit udp host “ip.of.name.server” any gt 1023
DNS works on UDP. Try opening higer ports from the server…if any security concerns r ther i am not sure any other way around..may be some of our sec gurus can help more….
thx
Srik

Reply To: Router configuration – ACL issue

In reply to Reply To: Router configuration – ACL issue

EXCELLENT ANSWER – The points are yours! This resolved my issue perfectly – with the host command I can specify that the response is from the server required. THANK YOU!!

Reply To: Router configuration – ACL issue

In reply to Router configuration – ACL issue

This question was closed by the author

[Author]

Replies