• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 308
  • Last Modified:

Access List behaving oddly

I have the following statements at the top side of an ACL on a Cisco 3825:

10 permit udp host any eq domain log
20 permit udp host any log

I am attempting DNS resolution against the global DNS root for testing of a development network.  Both of the above statements are applied inbound to the WAN link of the edge router.  When I attempt DNS resolution, only line 20 matches.  Line 10 generates no match and the packet is ultimately denied if line 20 is removed from the ACL.

Can anyone tell me why line 10 would not be matching DNS replies from and how to overcome the problem?  I am concerned that this problem will begin to extend to other services as I expand the ACL to include www, 443, ftp, smtp, etc. and do not want to open a gaping hole in the front end that basicly equates to a "permit ip any any" statement in order to make these work.

1 Solution
Because since the access-list is applied inbound on the WAN interface, the return traffic (DNS reply) has a source port of 53.

Your access-list should look like this:

10 permit udp host eq domain any log
atlas_shudderedSr. Network EngineerAuthor Commented:
Yep  Just figured that out JF.  Thanks for the confirmation none-the-less.  I think I hear them coming with the cone of shame now......
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now