?
Solved

Cisco 851 ACL not allowing DNS resolution

Posted on 2010-01-11
24
Medium Priority
?
519 Views
Last Modified: 2012-05-08
I am having issues with an acl on an 851 router.  When I apply my acl, after a few minutes, I am no longer to resolve to the internet.  I can ping an outside IP however no surfing...
Can someone see what I am missing?
Thanks,
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MY_851
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
clock timezone MST -7
clock summer-time MST recurring
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.150
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
ip dhcp pool DHCP
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 192.168.1.10 
!
!
ip cef
ip inspect name block tftp timeout 1800
ip inspect name block tcp timeout 1800
no ip domain lookup
!
!
crypto pki trustpoint TP-self-signed-XXXXXXXXXX
 enrollment selfsigned
username user1 password 0 XXXXXX
username user2 privilege 15 password 0 XXXXXX
!
! 
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local VPNCLIENT
!
crypto isakmp client configuration group XXXXXX
 key XXXXX
 dns 192.168.1.10
 pool VPNCLIENT
 acl 144
!
!
crypto ipsec transform-set unity esp-3des esp-sha-hmac 
!
crypto dynamic-map dynomap 10
 set transform-set unity 
!
!
crypto map VPN client authentication list userauthen
crypto map VPN isakmp authorization list groupauth
crypto map VPN client configuration address initiate
crypto map VPN client configuration address respond
crypto map VPN 20 ipsec-isakmp dynamic dynomap 
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description **  Internet  **
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1392
 duplex auto
 speed auto
 crypto map VPN
!
interface Vlan1
 description **  LAN  **
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip local pool VPNCLIENT 10.200.0.1 10.200.0.50
ip classless
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.10 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.10 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.1.10 25 interface FastEthernet4 25
!
access-list 101 deny   ip 192.168.1.0 0.0.0.255 10.200.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 106 deny   53 any any
access-list 106 deny   55 any any
access-list 106 deny   77 any any
access-list 106 permit udp any any eq bootpc
access-list 106 permit udp any any eq bootps
access-list 106 permit icmp any any echo-reply
access-list 106 permit tcp any any eq smtp
access-list 106 permit tcp any any eq 443
access-list 106 permit esp any any
access-list 106 permit udp any any eq isakmp
access-list 106 permit udp any any eq non500-isakmp
access-list 106 permit udp host 142.3.100.15 any eq ntp
access-list 106 permit tcp any any
access-list 144 permit ip 192.168.1.0 0.0.0.255 10.200.0.0 0.0.0.255
no cdp run
!
control-plane
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Open in new window

0
Comment
Question by:jeff_wright
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 7
  • 5
  • +2
24 Comments
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26285372
Which interface are you applying the ACL and in which direction? You will need an entry permitting tcp and udp on port 53

permit tcp any any eq 53
permit udp any any eq 53
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 26285407
Hi,
try the following

ip nat inside source static udp 192.168.1.10 53 interface FastEthernet4 53


0
 
LVL 3

Expert Comment

by:shairozan
ID: 26285408
Access list 106 has an entry for deny 53 any any. If that means deny port 53 to any from any, that's going to be a pig part of your issue. DNS forwarding occurs on port 53. Cisco ACLs are also read sequentially from top to bottom. It's better to include all of your "allow" statements at the top and allow the implicity deny statement to take care of the rest.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26285424
that deny 53 is the protocol, not the port.

0
 

Author Comment

by:jeff_wright
ID: 26285809
Sorry, I want to put the acl on fa4 inbound.  I don't want to allow dns 53 inbound....
0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26285831
hi

does it happened with VPN clients ??
am not seeing ACL 106 applied o any interface ?? so, the problem not with ACL 106 ,,right?
then we need to focus on the ACL that cause the problem ?

you didn't specify which one ?/ and from your configuration , it's 101
so change it to the following

access-list 101 permit udp any any eq 53
access-list 101 permit tcp any any eq 53
access-list 101 deny   ip 192.168.1.0 0.0.0.255 10.200.0.0 0.0.0.255  >> what its goal ?
access-list 101 permit ip 192.168.1.0 0.0.0.255 any


0
 

Author Comment

by:jeff_wright
ID: 26285940
No vpn clients don't seem to be affected.
I took the acl 106 off of the fa4 interface cause it wasn't working.  After I apply the acl on the fa4 interface inbound, I can surf the net for about 2 minutes.  Then no dns resolution.  I can still ping outside IP addresses.
Sorry the issue seems to be with acl 106 after I apply it.
Should I change 101 still?
For access-list 101 deny   ip 192.168.1.0 0.0.0.255 10.200.0.0 0.0.0.255  the goal is to allow access to VPN clients from the LAN when connected.
0
 
LVL 16

Accepted Solution

by:
memo_tnt earned 2000 total points
ID: 26286036
oook
then .. no no need to change it

then change it to :::
access-list 106 permit udp any any eq bootpc
access-list 106 permit udp any any eq bootps
access-list 106 permit icmp any any echo-reply
access-list 106 permit tcp any any eq smtp
access-list 106 permit tcp any any eq 443
access-list 106 permit esp any any
access-list 106 permit udp any any eq isakmp
access-list 106 permit udp any any eq non500-isakmp
access-list 106 permit udp host 142.3.100.15 any eq ntp
access-list 106 permit tcp any any
access-list 106 permit udp any any eq 53
access-list 106 permit tcp any any eq 53
0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26286174
Add this near the top of your inbound ACL:

permit tcp any any established

It should fix your issue.
0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26286202
The issue is that traffic is going out, but not being allowed back in. You would either use IOS Firewall/CBAC configured or that ACL line. This will allow reply traffic (initiated from inside your network) back in.
0
 

Author Comment

by:jeff_wright
ID: 26287291
Ok so when I apply that acl to the fa4 in interface, I can't access the net at all!!!
0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26287328
Which one? Keep your current ACL and add the permit tcp any any established line.
0
 

Author Comment

by:jeff_wright
ID: 26287330
Oops!  I entered an incorrect setting on the acl...  
Trying now.  I applied the acl 106 and so far so good...
0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26287334
does your access group assigned inbound or outbound of your interface ??

did you try to add those lines posted above ??

access-list 106 permit udp any any eq 53
access-list 106 permit tcp any any eq 53


0
 

Author Comment

by:jeff_wright
ID: 26287337
Spoke too soon.  Still not working...
0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26287344
Post current Fa4 and ACL config please.
0
 

Author Comment

by:jeff_wright
ID: 26287398
Here it is.....
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DF_Tech_851
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
clock timezone MST -7
clock summer-time MST recurring
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.150
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
ip dhcp pool DHCP
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 192.168.1.10
!
!
ip cef
ip inspect name block tftp timeout 1800
ip inspect name block tcp timeout 1800
no ip domain lookup
!
!
crypto pki trustpoint TP-self-signed-XXXXXX
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-XXXXXX
 revocation-check none
 rsakeypair TP-self-signed-XXXXXX
!
!
crypto pki certificate chain TP-self-signed-XXXXXX
 certificate self-signed 01
  xxx  quit
username user1 password 0 XXXXX
username user2 privilege 15 password 0 XXXXX
!
!
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local VPNCLIENT
!
crypto isakmp client configuration group DF_TeCH!
 key XXXXXX
 dns 192.168.1.10
 pool VPNCLIENT
 acl 144
!
!
crypto ipsec transform-set unity esp-3des esp-sha-hmac
!
crypto dynamic-map dynomap 10
 set transform-set unity
!
!
crypto map VPN client authentication list userauthen
crypto map VPN isakmp authorization list groupauth
crypto map VPN client configuration address initiate
crypto map VPN client configuration address respond
crypto map VPN 20 ipsec-isakmp dynamic dynomap
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description **  Telus Internet  **
 ip address dhcp
 ip nat outside
 ip access-group 106 in
 ip virtual-reassembly
 ip tcp adjust-mss 1392
 duplex auto
 speed auto
 crypto map VPN
!
interface Vlan1
 description **  DF Tech LAN  **
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip local pool VPNCLIENT 10.200.0.1 10.200.0.50
ip classless
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.10 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.10 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.1.10 25 interface FastEthernet4 25
!
access-list 101 deny   ip 192.168.1.0 0.0.0.255 10.200.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 106 permit udp any any eq bootpc
access-list 106 permit udp any any eq bootps
access-list 106 permit tcp any any established
access-list 106 permit icmp any any echo-reply
access-list 106 permit tcp any any eq smtp
access-list 106 permit tcp any any eq 443
access-list 106 permit esp any any
access-list 106 permit udp any any eq isakmp
access-list 106 permit udp any any eq non500-isakmp
access-list 106 permit udp host 142.3.100.15 any eq ntp
access-list 106 permit tcp any any
access-list 106 permit udp any any eq domain
access-list 106 permit tcp any any eq domain
access-list 144 permit ip 192.168.1.0 0.0.0.255 10.200.0.0 0.0.0.255
no cdp run
!
control-plane
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Open in new window

0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26287458
Did you change anything? It looks the same. This is being applied IN on Fa4?
0
 

Author Comment

by:jeff_wright
ID: 26287504
I didn't change anything.  Yes exactly the same just applied the acl to fa4.  Yes fa4 in....
0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26287706
hi

try from your CLI

nslookup www.google.com >> what you get ??

if it resolve it then add this line to your ACL

access-list 106 permit tcp any any eq www



0
 

Author Comment

by:jeff_wright
ID: 26287812
It doens't resolve if the acl is applied to fa4 inbound.
0
 
LVL 16

Assisted Solution

by:memo_tnt
memo_tnt earned 2000 total points
ID: 26291003
when you add permit ip any nay at the end of the ACL
does work ok >?>>??

0
 

Author Comment

by:jeff_wright
ID: 26306022
I added the permit ip any any to the acl and so far so good.  I will keep testing it for a bit.
0
 

Author Comment

by:jeff_wright
ID: 26306219
It seems to be working fine still...
Thank you,
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question