General discussion
-
Topic
-
Router configuration – ACL issue
LockedAm creating an IP extended ACL on a cisco 1700 series. The ACL is to be applied on Serial0 (WAN interface) and will filter incoming (internet to network) packets for security purposes. Standard ports 25, 80, 110, 443 are permitted, as well as one port for VPN. Specified ports are opened for both TCP and UDP. In addition, “established” connections are also permitted. The problem comes on DNS. Port 53 is supposed to be the standard DNS port – have opened port 53 for UDP and TCP, yet as soon as the filter is applied, no internal machine can do DNS resolution. (Note – DNS server is an external network provider machine.) If I remove the ACL, the “internet comes back on” as one developer stated. Command line DNS also fails, so it is definitely DNS that is dying on the ACL. All statements in the ACL are permits at this point, allowing the implicit Deny any any to cover what I do not manually open. So its not a misconfigured deny statement. No filters are applied to the LAN interface – so they default to permit any any in both directions. There is no outgoing filter on the Wan interface, so it also is permit any any.
Ideas? Thanks in advance.
Dr. Sys