Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Access List behaving oddly

Posted on 2009-12-21
Medium Priority
Last Modified: 2012-05-08
I have the following statements at the top side of an ACL on a Cisco 3825:

10 permit udp host any eq domain log
20 permit udp host any log

I am attempting DNS resolution against the global DNS root for testing of a development network.  Both of the above statements are applied inbound to the WAN link of the edge router.  When I attempt DNS resolution, only line 20 matches.  Line 10 generates no match and the packet is ultimately denied if line 20 is removed from the ACL.

Can anyone tell me why line 10 would not be matching DNS replies from and how to overcome the problem?  I am concerned that this problem will begin to extend to other services as I expand the ACL to include www, 443, ftp, smtp, etc. and do not want to open a gaping hole in the front end that basicly equates to a "permit ip any any" statement in order to make these work.

Question by:atlas_shuddered
LVL 43

Accepted Solution

JFrederick29 earned 2000 total points
ID: 26097845
Because since the access-list is applied inbound on the WAN interface, the return traffic (DNS reply) has a source port of 53.

Your access-list should look like this:

10 permit udp host eq domain any log
LVL 11

Author Comment

ID: 26098315
Yep  Just figured that out JF.  Thanks for the confirmation none-the-less.  I think I hear them coming with the cone of shame now......

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question