Cisco VLAN ACL problems

Hi,

I have a VLAN defined that I'm using ACLs to control the inbound / outbound traffic.  My current problem is allowing DNS traffic back in.  I THINK i have the rule necessary to allow this but it is still showing denied in my logging by the access list (102) where my rule is.  Below is the relevant config:

spidra#sho ver
Cisco Internetwork Operating System Software
IOS (tm) C5RSM Software (C5RSM-DSV-M), Version 11.3(6)WA4(9), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1998 by cisco Systems, Inc.
Compiled Mon 07-Dec-98 15:01 by
Image text-base: 0x600108F8, data-base: 0x60978000

ROM: System Bootstrap, Version 11.2(17523) [mohsen 102], INTERIM SOFTWARE
BOOTFLASH: C5RSM Software (C5RSM-BOOT-M), Version 11.2(18)P,  RELEASE SOFTWARE (fc1)

spidra uptime is 3 years, 1 week, 3 days, 8 hours, 40 minutes
System restarted by reload at 08:24:00 EST Tue Mar 27 2007
System image file is "slot0:/c5rsm-dsv-mz.113-6.WA4.9.bin", booted via slot0

cisco RSP2 (R4700) processor with 65536K/2072K bytes of memory.
R4700 processor, Implementation 33, Revision 1.0
Last reset from power-on
G.703/E1 software, Version 1.0.
X.25 software, Version 3.0.0.
Bridging software.
1 C5IP controller (20 Vlan).
20 Virtual Ethernet/IEEE 802.3 interface(s)
123K bytes of non-volatile configuration memory.

16384K bytes of Flash PCMCIA card at slot 0 (Sector size 128K).
16384K bytes of Flash PCMCIA card at slot 1 (Sector size 128K).
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102

interface Vlan200
 ip address 172.16.244.1 255.255.255.0
 ip access-group 101 in
 ip access-group 102 out


access-list 101 permit tcp any any established log-input
access-list 101 permit udp any any eq domain log-input
access-list 101 permit tcp any any eq www log-input
access-list 101 permit tcp any any eq 443 log-input
access-list 101 permit tcp any any eq domain log-input
access-list 101 permit icmp any any log-input
access-list 101 deny   ip any any log-input

access-list 102 permit tcp any any established log-input
access-list 102 permit tcp any any eq www log-input
access-list 102 permit tcp any any eq 443 log-input
access-list 102 permit udp any any eq domain log-input
access-list 102 permit icmp any any time-exceeded log-input
access-list 102 permit icmp any any echo-reply log-input
access-list 102 permit icmp any any traceroute log-input
access-list 102 permit icmp any any log-input
access-list 102 deny   ip any any log-input


Logging shows the following:

Apr  5 16:44:02 spidra 689888: Apr  5 21:44:02.656: %SEC-6-IPACCESSLOGP: list 101 permitted udp 172.16.244.244(49719) (Vlan200 0021.70b4.7816) -> 68.xxx.xxx.xxx(53), 1 packet
Apr  5 16:44:08 spidra 689889: Apr  5 21:44:07.284: %SEC-6-IPACCESSLOGP: list 101 permitted udp 172.16.244.244(49841) (Vlan200 0021.70b4.7816) -> 68.xxx.xxx.xxx(53), 2 packets
Apr  5 16:44:13 spidra 689890: Apr  5 21:44:12.912: %SEC-6-IPACCESSLOGP: list 101 permitted udp 172.16.244.244(17368) (Vlan200 0021.70b4.7816) -> 68.xxx.xxx.xxx(53), 1 packet
Apr  5 16:44:33 spidra 689896: Apr  5 21:44:32.424: %SEC-6-IPACCESSLOGP: list 101 permitted udp 172.16.244.244(1581) (Vlan200 0021.70b4.7816) -> 68.xxx.xxx.xxx(53), 1 packet
Apr  5 16:44:35 spidra 689897: Apr  5 21:44:34.448: %SEC-6-IPACCESSLOGP: list 101 permitted udp 172.16.244.244(1583) (Vlan200 0021.70b4.7816) -> 68.xxx.xxx.xxx(53), 1 packet
Apr  5 16:44:37 spidra 689898: Apr  5 21:44:36.052: %SEC-6-IPACCESSLOGP: list 101 permitted udp 172.16.244.244(45711) (Vlan200 0021.70b4.7816) -> 68.xxx.xxx.xxx(53), 1 packet
Apr  5 16:45:17 spidra 689905: Apr  5 21:45:16.028: %SEC-6-IPACCESSLOGP: list 101 permitted udp 172.16.244.244(45711) (Vlan200 0021.70b4.7816) -> 68.xxx.xxx.xxx(53), 2 packets
Apr  5 16:45:23 spidra 689906: Apr  5 21:45:22.148: %SEC-6-IPACCESSLOGP: list 102 denied udp 68.xxx.xxx.xxx(53) (Vlan10 000e.83c9.ee85) -> 172.16.244.244(45711), 3 packets
Apr  5 16:45:23 spidra 689907: Apr  5 21:45:23.148: %SEC-6-IPACCESSLOGP: list 102 denied udp 68.xxx.xxx.xxx(53) (Vlan10 000e.83c9.ee85) -> 172.16.244.244(29163), 2 packets
xogentAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Istvan KalmarHead of IT Security Division Commented:
Hi,

You need

ip access-list extended 102
 11 permit udp any eq 53 172.16.244.0 0.0.0.255

Best regards,
Istvan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
xogentAuthor Commented:
That seems to have worked.  Thanks!  I was following (I thought) the syntax of some existing rules.  Yours has a different syntax/layout.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.