Solved

Need DNS outbound acl's

Posted on 2010-11-25
7
440 Views
Last Modified: 2012-06-21
I've tried many combinations of acl's for both interfaces but I haven't been successful resolving DNS.  If I disable both access-groups, then it works fine.  I am pinging from a Windows XP machine.  It's IP address is 192.168.1.5 with 8.8.8.8 as the DNS address.  What do I need to get this working?

interface FastEthernet0/0
 description internal network
 ip address 192.168.1.3 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 standby 1 ip 192.168.1.4
 standby 1 priority 105
 standby 1 preempt
 standby 1 track FastEthernet1/0
!
interface FastEthernet1/0
 description internet
 ip address 173.x.x.13 255.255.255.248
 ip access-group 100 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
ip route 0.0.0.0 0.0.0.0 173.x.x.14
ip nat inside source list mylist interface FastEthernet1/0 overload
!
ip access-list extended mylist
 permit ip 192.168.1.0 0.0.0.255 any

access-list 100 permit tcp any host 173.x.x.13 eq 22
access-list 100 permit icmp any host 173.x.x.13 echo
access-list 100 permit icmp any host 173.x.x.13 echo-reply
access-list 100 deny   ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip 172.16.0.0 0.15.255.255 any
access-list 100 deny   ip 224.0.0.0 31.255.255.255 any
access-list 100 deny   ip 169.254.0.0 0.0.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   ip 0.0.0.0 0.255.255.255 any
access-list 100 deny   ip any any
access-list 101 permit udp any host 224.0.0.2 eq 1985
access-list 101 permit tcp host 192.168.1.3 any eq 22
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any echo
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any echo-reply
0
Comment
Question by:B1izzard
  • 4
  • 2
7 Comments
 
LVL 17

Expert Comment

by:sweetfa2
ID: 34214511
You need to allow access for port 53 for dns service requests
0
 

Author Comment

by:B1izzard
ID: 34215416
Here is an example of what I have tried adding:

access-list 100 permit tcp any host 173.x.x.13 eq 53
access-list 100 permit udp any host 173.x.x.13 eq 53

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any gt 1023
access-list 101 permit udp 192.168.1.0 0.0.0.255 any gt 1023

If I change access-list 101 to just the following entry and remove the ip access-group 100 from it's interface, DNS works:
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

If the access-list rules gt 1023 for both tcp and udp don't work, but permitting ip 192.168.0 0.0.0.255 any works, what is different, as the outgoing ports for DNS should be >1023.  

My logic is that outbound tcp and udp ports above 1023 for the 192.168.1.0 subnet will be open, and when returning, port 53 should be open.  It just doesn't work.
0
 
LVL 17

Accepted Solution

by:
sweetfa2 earned 250 total points
ID: 34216040
You only need outbound to the external network.  Your dns server or client will open an connection to port 53.  Unless you are managing an internet accessible server within your network you don't need to open an inbound port 53.

Unless you have services running at your end you don't need to open any inbound connections from the internet for you.

From what I can tell however you are opening up your ssh port, your web server, and your https ports.

As to your logic, the first half is correct.  However you have it reversed with port 53 only needing to be open outbound.


So on inbound open ports 22, 80, 443
On outbound open ports 53, 80, and 443 so that your dns and webserver ports can browse the internet.

access-list 100 permit ip 192.168.1.0 0.0.0.255 any eq 53
access-list 100 permit ip 192.168.1.0 0.0.0.255 any eq 80
access-list 100 permit ip 192.168.1.0 0.0.0.255 any eq 443
access-list 100 deny ip 192.168.1.0 0.0.0.255 any

That should allow your required out traffic, without anything else being able to go out.  Once you are confident that is working, and that attempts to access external ports other than these fail, then we can work on your inbound.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:B1izzard
ID: 34218540
I think you have a typo, as the permit ip won't let you specify 'eq 53', only tcp will.  So assuming there is not something wrong with my router I could only do the following:

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq domain
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any echo
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any echo-reply
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any

I disabled the access-list on the WAN interface, and I am still unable to ping out.  Keep in mind that I have 8.8.8.8 set as my DNS server, so perhaps this is causing the problem?  I don't have an internal DNS server at the moment, but perhaps I will set one up now to test.
0
 

Author Comment

by:B1izzard
ID: 34218875
I just confirmed it.  When the internal PC points to DNS externally, it was blocked somehow.  When I setup an internal DNS server, and point the PC to it, it does resolve DNS when the gateway is set to the Cisco router.   After modifying the acl's, I was able to get it to work using 8.8.8.8 as the DNS server in XP.

So now the LAN access list is working for resolving, but when I enable access-group 100 in on the WAN side, DNS works, but web browsing does not.  Here is what I have currently for both:

access-list 100 permit tcp any host 173.x.x.13 eq 22
access-list 100 permit tcp any host 173.x.x67.13 eq www
access-list 100 permit tcp any host 173.x.x.13 eq 443
access-list 100 permit icmp any host 173.x.x.13 echo
access-list 100 permit icmp any host 173.x.x.13 echo-reply
access-list 100 permit tcp any host 173.x.x.13 eq domain
access-list 100 permit udp any host 173.x.x.13 eq domain
access-list 100 deny   ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip 172.16.0.0 0.15.255.255 any
access-list 100 deny   ip 224.0.0.0 31.255.255.255 any
access-list 100 deny   ip 169.254.0.0 0.0.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   ip 0.0.0.0 0.255.255.255 any
access-list 100 deny   ip any any
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any gt 1023
access-list 101 permit udp 192.168.1.0 0.0.0.255 any gt 1023
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq domain
access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq domain
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any echo
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any echo-reply
access-list 101 deny   ip any any

Do you see anything that would stop web browsing?
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 250 total points
ID: 34219103
DNS primarily runs over UDP, and occasionally over TCP. Are you able to get out using TCP services? It looks like access-list 100 is blocking all return TCP traffic.

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq domain
access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq domain   <--- you need UDP!
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any echo
access-list 101 permit icmp 192.168.1.0 0.0.0.255 any echo-reply
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any

access-list 100 deny   ip 192.168.0.0 0.0.255.255 any     <--- better to put your deny before your accept
access-list 100 deny   ip 172.16.0.0 0.15.255.255 any
access-list 100 deny   ip 224.0.0.0 31.255.255.255 any
access-list 100 deny   ip 169.254.0.0 0.0.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   ip 0.0.0.0 0.255.255.255 any
access-list 100 permit tcp any host 173.x.x.13 eq 22
access-list 100 permit icmp any host 173.x.x.13 echo
access-list 100 permit icmp any host 173.x.x.13 echo-reply
access-list 100 permit udp any eq domain any             <--- permit the DNS reply
access-list 100 permit tcp any any established            <--- permit return TCP packets if the session was initiated from the inside
access-list 100 deny   ip any any
0
 

Author Closing Comment

by:B1izzard
ID: 34219215
Thanks for the assistance.  DNS is working, and the http is now working with the entry:
access-list 100 permit tcp any any established
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now