jeff_wright
asked on
Cisco 851 ACL not allowing DNS resolution
I am having issues with an acl on an 851 router. When I apply my acl, after a few minutes, I am no longer to resolve to the internet. I can ping an outside IP however no surfing...
Can someone see what I am missing?
Thanks,
Can someone see what I am missing?
Thanks,
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MY_851
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
clock timezone MST -7
clock summer-time MST recurring
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.150
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
ip dhcp pool DHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.10
!
!
ip cef
ip inspect name block tftp timeout 1800
ip inspect name block tcp timeout 1800
no ip domain lookup
!
!
crypto pki trustpoint TP-self-signed-XXXXXXXXXX
enrollment selfsigned
username user1 password 0 XXXXXX
username user2 privilege 15 password 0 XXXXXX
!
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local VPNCLIENT
!
crypto isakmp client configuration group XXXXXX
key XXXXX
dns 192.168.1.10
pool VPNCLIENT
acl 144
!
!
crypto ipsec transform-set unity esp-3des esp-sha-hmac
!
crypto dynamic-map dynomap 10
set transform-set unity
!
!
crypto map VPN client authentication list userauthen
crypto map VPN isakmp authorization list groupauth
crypto map VPN client configuration address initiate
crypto map VPN client configuration address respond
crypto map VPN 20 ipsec-isakmp dynamic dynomap
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description ** Internet **
ip address dhcp
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1392
duplex auto
speed auto
crypto map VPN
!
interface Vlan1
description ** LAN **
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip local pool VPNCLIENT 10.200.0.1 10.200.0.50
ip classless
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.10 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.10 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.1.10 25 interface FastEthernet4 25
!
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.200.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 106 deny 53 any any
access-list 106 deny 55 any any
access-list 106 deny 77 any any
access-list 106 permit udp any any eq bootpc
access-list 106 permit udp any any eq bootps
access-list 106 permit icmp any any echo-reply
access-list 106 permit tcp any any eq smtp
access-list 106 permit tcp any any eq 443
access-list 106 permit esp any any
access-list 106 permit udp any any eq isakmp
access-list 106 permit udp any any eq non500-isakmp
access-list 106 permit udp host 142.3.100.15 any eq ntp
access-list 106 permit tcp any any
access-list 144 permit ip 192.168.1.0 0.0.0.255 10.200.0.0 0.0.0.255
no cdp run
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
Hi,
try the following
ip nat inside source static udp 192.168.1.10 53 interface FastEthernet4 53
try the following
ip nat inside source static udp 192.168.1.10 53 interface FastEthernet4 53
Access list 106 has an entry for deny 53 any any. If that means deny port 53 to any from any, that's going to be a pig part of your issue. DNS forwarding occurs on port 53. Cisco ACLs are also read sequentially from top to bottom. It's better to include all of your "allow" statements at the top and allow the implicity deny statement to take care of the rest.
that deny 53 is the protocol, not the port.
ASKER
Sorry, I want to put the acl on fa4 inbound. I don't want to allow dns 53 inbound....
hi
does it happened with VPN clients ??
am not seeing ACL 106 applied o any interface ?? so, the problem not with ACL 106 ,,right?
then we need to focus on the ACL that cause the problem ?
you didn't specify which one ?/ and from your configuration , it's 101
so change it to the following
access-list 101 permit udp any any eq 53
access-list 101 permit tcp any any eq 53
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.200.0.0 0.0.0.255 >> what its goal ?
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
does it happened with VPN clients ??
am not seeing ACL 106 applied o any interface ?? so, the problem not with ACL 106 ,,right?
then we need to focus on the ACL that cause the problem ?
you didn't specify which one ?/ and from your configuration , it's 101
so change it to the following
access-list 101 permit udp any any eq 53
access-list 101 permit tcp any any eq 53
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.200.0.0 0.0.0.255 >> what its goal ?
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
ASKER
No vpn clients don't seem to be affected.
I took the acl 106 off of the fa4 interface cause it wasn't working. After I apply the acl on the fa4 interface inbound, I can surf the net for about 2 minutes. Then no dns resolution. I can still ping outside IP addresses.
Sorry the issue seems to be with acl 106 after I apply it.
Should I change 101 still?
For access-list 101 deny ip 192.168.1.0 0.0.0.255 10.200.0.0 0.0.0.255 the goal is to allow access to VPN clients from the LAN when connected.
I took the acl 106 off of the fa4 interface cause it wasn't working. After I apply the acl on the fa4 interface inbound, I can surf the net for about 2 minutes. Then no dns resolution. I can still ping outside IP addresses.
Sorry the issue seems to be with acl 106 after I apply it.
Should I change 101 still?
For access-list 101 deny ip 192.168.1.0 0.0.0.255 10.200.0.0 0.0.0.255 the goal is to allow access to VPN clients from the LAN when connected.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Add this near the top of your inbound ACL:
permit tcp any any established
It should fix your issue.
permit tcp any any established
It should fix your issue.
The issue is that traffic is going out, but not being allowed back in. You would either use IOS Firewall/CBAC configured or that ACL line. This will allow reply traffic (initiated from inside your network) back in.
ASKER
Ok so when I apply that acl to the fa4 in interface, I can't access the net at all!!!
Which one? Keep your current ACL and add the permit tcp any any established line.
ASKER
Oops! I entered an incorrect setting on the acl...
Trying now. I applied the acl 106 and so far so good...
Trying now. I applied the acl 106 and so far so good...
does your access group assigned inbound or outbound of your interface ??
did you try to add those lines posted above ??
access-list 106 permit udp any any eq 53
access-list 106 permit tcp any any eq 53
did you try to add those lines posted above ??
access-list 106 permit udp any any eq 53
access-list 106 permit tcp any any eq 53
ASKER
Spoke too soon. Still not working...
Post current Fa4 and ACL config please.
ASKER
Here it is.....
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DF_Tech_851
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
clock timezone MST -7
clock summer-time MST recurring
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.150
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
ip dhcp pool DHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.10
!
!
ip cef
ip inspect name block tftp timeout 1800
ip inspect name block tcp timeout 1800
no ip domain lookup
!
!
crypto pki trustpoint TP-self-signed-XXXXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-XXXXXX
revocation-check none
rsakeypair TP-self-signed-XXXXXX
!
!
crypto pki certificate chain TP-self-signed-XXXXXX
certificate self-signed 01
xxx quit
username user1 password 0 XXXXX
username user2 privilege 15 password 0 XXXXX
!
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local VPNCLIENT
!
crypto isakmp client configuration group DF_TeCH!
key XXXXXX
dns 192.168.1.10
pool VPNCLIENT
acl 144
!
!
crypto ipsec transform-set unity esp-3des esp-sha-hmac
!
crypto dynamic-map dynomap 10
set transform-set unity
!
!
crypto map VPN client authentication list userauthen
crypto map VPN isakmp authorization list groupauth
crypto map VPN client configuration address initiate
crypto map VPN client configuration address respond
crypto map VPN 20 ipsec-isakmp dynamic dynomap
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description ** Telus Internet **
ip address dhcp
ip nat outside
ip access-group 106 in
ip virtual-reassembly
ip tcp adjust-mss 1392
duplex auto
speed auto
crypto map VPN
!
interface Vlan1
description ** DF Tech LAN **
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip local pool VPNCLIENT 10.200.0.1 10.200.0.50
ip classless
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.10 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.10 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.1.10 25 interface FastEthernet4 25
!
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.200.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 106 permit udp any any eq bootpc
access-list 106 permit udp any any eq bootps
access-list 106 permit tcp any any established
access-list 106 permit icmp any any echo-reply
access-list 106 permit tcp any any eq smtp
access-list 106 permit tcp any any eq 443
access-list 106 permit esp any any
access-list 106 permit udp any any eq isakmp
access-list 106 permit udp any any eq non500-isakmp
access-list 106 permit udp host 142.3.100.15 any eq ntp
access-list 106 permit tcp any any
access-list 106 permit udp any any eq domain
access-list 106 permit tcp any any eq domain
access-list 144 permit ip 192.168.1.0 0.0.0.255 10.200.0.0 0.0.0.255
no cdp run
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
Did you change anything? It looks the same. This is being applied IN on Fa4?
ASKER
I didn't change anything. Yes exactly the same just applied the acl to fa4. Yes fa4 in....
hi
try from your CLI
nslookup www.google.com >> what you get ??
if it resolve it then add this line to your ACL
access-list 106 permit tcp any any eq www
try from your CLI
nslookup www.google.com >> what you get ??
if it resolve it then add this line to your ACL
access-list 106 permit tcp any any eq www
ASKER
It doens't resolve if the acl is applied to fa4 inbound.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I added the permit ip any any to the acl and so far so good. I will keep testing it for a bit.
ASKER
It seems to be working fine still...
Thank you,
Thank you,
permit tcp any any eq 53
permit udp any any eq 53