RE: Extended ACLs - DNS Resolution

From: Maljure, Sanjay (smaljure@xxxxxxxxxxxxxxxxx)
Date: Thu Mar 23 2000 - 15:39:32 GMT-3

• Next message: David Russell: "Re: Extended ACLs - DNS Resolution"
• Previous message: Aaron DuShey: "Bridging"
• Maybe in reply to: Angela Ledford: "Extended ACLs - DNS Resolution"
• Next in thread: David Russell: "Re: Extended ACLs - DNS Resolution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hi Angela,

Your access-list 105 is applied inbound on s0/0. Hence it will affect only
packets coming into s0/0
And ur NAT pool for the inside to outside translation is:

!
ip nat pool internet 208.50.222.30 208.50.222.30 netmask 255.255.255.252
!

So a packet sourced from any host on the ethernet interface (inside) would
get translated to a source address of 208.50.222.30

Which means

access-list 105 permit any eq domain host 208.50.222.30

should allow the DNS query replies to come back to the translated address. U
can change the entries for ICMP, TCP(est), etc. using the 208.50.222.30
address.

Ofcourse, u try domain name resolution from the router, then the DNS query
will be sourced with the IP address of S0/0 (207.50.37.34) and u would need
to allow inbound UDP access to this address.

hope this is helpful

Sanjay

I am having trouble figuring out what I have wrong on this access-list that
won't allow DNS to resolve names based on the servers I have listed. I can
ping the servers and without the access-list, I can resolve names but once I
envoke, it brakes ... config below:
!
ip subnet-zero
ip tcp synwait-time 5
ip name-server 206.165.5.10
ip name-server 206.165.50.10

ip audit notify log
ip audit po max-events 100
!
!
process-max-time 200
!
interface Loopback0
 ip address 208.50.222.29 255.255.255.252
 no ip directed-broadcast
 ip nat inside
!
interface Ethernet0/0
 description Local LAN
 ip address 192.168.2.1 255.255.255.0
 no ip directed-broadcast
 ip nat inside
!
interface Serial0/0
 description Serial Internet Link
 bandwidth 384
 ip address 208.50.237.34 255.255.255.252
 ip access-group 105 in
 no ip directed-broadcast
 ip nat outside
 ip access-group 105 in
 no ip mroute-cache
 no fair-queue
 down-when-looped
!
ip nat pool internet 208.50.222.30 208.50.222.30 netmask 255.255.255.252
ip nat inside source list 1 pool internet overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 105 deny ip 208.50.222.28 0.0.0.3 any
access-list 105 permit tcp any 208.50.222.28 0.0.0.3 established
access-list 105 permit udp any any eq domain
access-list 105 permit tcp any 208.50.222.28 0.0.0.3 gt 1023
access-list 105 permit icmp any 208.50.222.28 0.0.0.3 traceroute
access-list 105 permit icmp any 208.50.222.28 0.0.0.3 echo
access-list 105 permit icmp any 208.50.222.28 0.0.0.3 echo-reply
access-list 105 permit icmp any 208.50.222.28 0.0.0.3 ttl-exceeded
access-list 105 permit udp any host 208.50.237.34 eq domain
access-list 105 permit icmp any host 208.50.237.34 echo
access-list 105 permit icmp any host 208.50.237.34 echo-reply
access-list 105 permit icmp any host 208.50.237.34 ttl-exceeded
!
line con 0
 password pnc
 login
 transport input none
line aux 0
 password pnc
 login
 modem InOut
 modem autoconfigure type usr_sportster
 transport input all
 speed 115200
 flowcontrol hardware
line vty 0 4
 password pnc
 login

--
Angela Ledford CCNP-CVOICE, CCNA
Network Engineer
Pathfinders Networking Corporation
aledford@pathnet.com
http://www.pathfindersnetworking.com/

• Next message: David Russell: "Re: Extended ACLs - DNS Resolution"
• Previous message: Aaron DuShey: "Bridging"
• Maybe in reply to: Angela Ledford: "Extended ACLs - DNS Resolution"
• Next in thread: David Russell: "Re: Extended ACLs - DNS Resolution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:06 GMT-3